fix(auth): 微信登录端点独立限流 30 次/分钟

真机调试首次登录即触发 '请求过于频繁' 错误，根因是微信登录与密码登录共享 5 次/分钟的限制，且 extract_client_ip 在无代理头时返回 'unknown'，所有真机请求共享同一个 rate limit key。修复：将微信登录/绑定路由从 public_routes 拆分为独立的 wechat_routes，使用 30 次/分钟的宽松限流（与 token 刷新一致）。密码登录保持 5 次/分钟的严格限制不变。
2026-06-05 16:33:42 +08:00
parent 976b9d94a0
commit 01a0fffc43
3 changed files with 60 additions and 7 deletions
--- a/crates/erp-auth/src/module.rs
+++ b/crates/erp-auth/src/module.rs
@@ -23,12 +23,23 @@ impl AuthModule {
    /// These routes do not require a valid JWT token.
    /// The caller wraps this into whatever state type the application uses.
    pub fn public_routes<S>() -> Router<S>
+    where
+        crate::auth_state::AuthState: axum::extract::FromRef<S>,
+        S: Clone + Send + Sync + 'static,
+    {
+        Router::new().route("/auth/login", axum::routing::post(auth_handler::login))
+    }
+
+    /// WeChat public routes — separate from login to allow higher rate limits.
+    ///
+    /// Mobile users may retry more frequently, so these use 30 req/min
+    /// instead of the strict 5 req/min for password login.
+    pub fn wechat_routes<S>() -> Router<S>
    where
        crate::auth_state::AuthState: axum::extract::FromRef<S>,
        S: Clone + Send + Sync + 'static,
    {
        Router::new()
-            .route("/auth/login", axum::routing::post(auth_handler::login))
            .route(
                "/auth/wechat/login",
                axum::routing::post(wechat_handler::wechat_login),