安全修复: 收敛认证与日志风险并补充基础测试

routes/api_auth.py

@@ -201,8 +201,8 @@ def _send_login_security_alert_if_needed(user: dict, username: str, client_ip: s
             new_device=context.get("new_device", False),
             user_id=user["id"],
         )
-    except Exception:
-        pass
+    except Exception as e:
+        logger.warning(f"发送登录安全提醒失败: user_id={user.get('id')}, error={e}")
 
 
 def _parse_credential_payload(data: dict) -> dict | None:
@@ -308,10 +308,9 @@ def verify_email(token):
     if result:
         token_id = result["token_id"]
         user_id = result["user_id"]
-        email = result["email"]
 
         if not database.approve_user(user_id):
-            logger.error(f"用户邮箱验证失败: 用户审核更新失败 user_id={user_id}, email={email}")
+            logger.error(f"用户邮箱验证失败: 用户审核更新失败 user_id={user_id}")
             error_message = "验证处理失败，请稍后重试"
             spa_initial_state = {
                 "page": "verify_result",
@@ -333,9 +332,9 @@ def verify_email(token):
             database.set_user_vip(user_id, auto_approve_vip_days)
 
         if not email_service.consume_email_token(token_id):
-            logger.warning(f"用户邮箱验证后Token消费失败: token_id={token_id}, user_id={user_id}")
+            logger.warning(f"用户邮箱验证后Token消费失败: user_id={user_id}")
 
-        logger.info(f"用户邮箱验证成功: user_id={user_id}, email={email}")
+        logger.info(f"用户邮箱验证成功: user_id={user_id}")
         spa_initial_state = {
             "page": "verify_result",
             "success": True,
@@ -348,7 +347,7 @@ def verify_email(token):
         }
         return render_app_spa_or_legacy("verify_success.html", spa_initial_state=spa_initial_state)
 
-    logger.warning(f"邮箱验证失败: token={token[:20]}...")
+    logger.warning("邮箱验证失败: token无效或已过期")
     error_message = "验证链接无效或已过期，请重新注册或申请重发验证邮件"
     spa_initial_state = {
         "page": "verify_result",