From 16da1d20f0152104d7e462caca0d2a94978732a6 Mon Sep 17 00:00:00 2001
From: hailin <hailin.zhao@gdzx.xyz>
Date: Thu, 26 Feb 2026 09:01:33 -0800
Subject: [PATCH] =?UTF-8?q?fix(auth):=20=E4=BF=AE=E5=A4=8D=E8=AE=BE?=
 =?UTF-8?q?=E7=BD=AE=E6=94=AF=E4=BB=98=E5=AF=86=E7=A0=81=E6=97=B6=E6=8A=A5?=
 =?UTF-8?q?=E9=94=99=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

支付密码是6位纯数字，但 setTradePassword 调用了 Password.create()
走了登录密码的格式验证（要求≥8位+字母+数字），导致必然抛出异常。

新增 Password.createWithoutValidation() 方法，仅做 bcrypt hash
不走格式验证。支付密码的格式验证由 trade-password.service.ts 独立处理。

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../auth-service/src/domain/aggregates/user.aggregate.ts  | 4 ++--
 .../auth-service/src/domain/value-objects/password.vo.ts  | 8 ++++++++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/backend/services/auth-service/src/domain/aggregates/user.aggregate.ts b/backend/services/auth-service/src/domain/aggregates/user.aggregate.ts
index 837965b1..39e24a72 100644
--- a/backend/services/auth-service/src/domain/aggregates/user.aggregate.ts
+++ b/backend/services/auth-service/src/domain/aggregates/user.aggregate.ts
@@ -251,10 +251,10 @@ export class UserAggregate {
   }
 
   /**
-   * 设置支付密码
+   * 设置支付密码（6位数字，使用独立的哈希逻辑，不走登录密码的格式验证）
    */
   async setTradePassword(newPlainPassword: string): Promise<void> {
-    const password = await Password.create(newPlainPassword);
+    const password = await Password.createWithoutValidation(newPlainPassword);
     this._tradePasswordHash = password.hash;
     this._updatedAt = new Date();
   }
diff --git a/backend/services/auth-service/src/domain/value-objects/password.vo.ts b/backend/services/auth-service/src/domain/value-objects/password.vo.ts
index dfb6f06d..7d84b17b 100644
--- a/backend/services/auth-service/src/domain/value-objects/password.vo.ts
+++ b/backend/services/auth-service/src/domain/value-objects/password.vo.ts
@@ -20,6 +20,14 @@ export class Password {
     return new Password(hash);
   }
 
+  /**
+   * 从明文密码创建（跳过格式验证，用于支付密码等有独立验证规则的场景）
+   */
+  static async createWithoutValidation(plainPassword: string): Promise<Password> {
+    const hash = await bcrypt.hash(plainPassword, Password.SALT_ROUNDS);
+    return new Password(hash);
+  }
+
   /**
    * 从已加密的 hash 重建
    */