From 5304c30fb98747110dc21d2ced62c04725282193 Mon Sep 17 00:00:00 2001
From: veypi <i@veypi.com>
Date: Mon, 16 Feb 2026 04:53:07 +0800
Subject: [PATCH] fix(api/verification): validate purpose parameter

Add validation for the 'purpose' parameter in verification code requests
to ensure only allowed values are accepted.

Valid purposes: register, login, reset_password, bind
Invalid purposes will be rejected with 400 Bad Request.
---
 api/verification/send.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/api/verification/send.go b/api/verification/send.go
index 8672474..69cacdd 100644
--- a/api/verification/send.go
+++ b/api/verification/send.go
@@ -43,6 +43,17 @@ func sendCode(x *vigo.X, req *SendRequest) (*SendResponse, error) {
 		req.Purpose = models.CodePurposeLogin
 	}
 
+	// 验证用途是否合法
+	validPurposes := map[string]bool{
+		models.CodePurposeRegister:      true,
+		models.CodePurposeLogin:         true,
+		models.CodePurposeResetPassword: true,
+		models.CodePurposeBind:          true,
+	}
+	if !validPurposes[req.Purpose] {
+		return nil, vigo.ErrInvalidArg.WithString("invalid purpose")
+	}
+
 	db := cfg.DB()
 
 	// 检查发送频率限制