From b188679f19b420db952a59a95099a9484e379f05 Mon Sep 17 00:00:00 2001
From: yuyx <237899745@qq.com>
Date: Tue, 25 Nov 2025 12:21:11 +0800
Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20=E4=BF=AE=E5=A4=8D=E9=82=AE?=
 =?UTF-8?q?=E7=AE=B1=E9=AA=8C=E8=AF=81=E9=93=BE=E6=8E=A5=E6=97=A0=E6=95=88?=
 =?UTF-8?q?=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 修复 UserDB.create() 中 verification_token 未哈希存储的bug
- 注册时的token现在会进行SHA256哈希，与验证时的逻辑保持一致
- 解决"无效或已过期的验证链接"错误

问题原因：注册时存储原文token，验证时用哈希后的token匹配，导致永远匹配不上

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 backend/database.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/backend/database.js b/backend/database.js
index 42b0d9f..7ffe770 100644
--- a/backend/database.js
+++ b/backend/database.js
@@ -192,6 +192,11 @@ const UserDB = {
 
     const hasFtpConfig = userData.ftp_host && userData.ftp_user && userData.ftp_password ? 1 : 0;
 
+    // 对验证令牌进行哈希存储（与 VerificationDB.setVerification 保持一致）
+    const hashedVerificationToken = userData.verification_token
+      ? crypto.createHash('sha256').update(userData.verification_token).digest('hex')
+      : null;
+
     const stmt = db.prepare(`
       INSERT INTO users (
         username, email, password,
@@ -212,7 +217,7 @@ const UserDB = {
       userData.http_download_base_url || null,
       hasFtpConfig,
       userData.is_verified !== undefined ? userData.is_verified : 0,
-      userData.verification_token || null,
+      hashedVerificationToken,
       userData.verification_expires_at || null
     );