ResetPasswordByPhone and ResetPassword now immediately consume
(delete) the verification code/token after successful validation,
before proceeding with password reset. This prevents replay attacks
where the same code could be used multiple times.
Security fix:验证码/Token验证通过后立即删除,防止Replay攻击
- G115 (integer overflow): Added nosec comments for safe type conversions
where values are bounded by design (e.g., rng.Intn(255) returns 0-254)
- G118 (context.Background): Added nosec for intentional async goroutines
that use WithTimeout for bounded execution after request completes
Note: G101 (hardcoded credentials) warnings are low-confidence false
positives - OAuth fields use getEnv() to read from environment.
