fix: 对齐 authz 认证链路

app/authz/adapter/authz.go

@@ -114,10 +114,18 @@ func deny(code codepb.Code, httpCode typev3.StatusCode, message string) *authv3.
 }
 
 func isPublicPath(path string) bool {
-	if path == "/healthz" || path == "/api/users/login" || path == "/api/users/register" {
+	switch path {
+	case "/healthz",
+		"/api/v1/auth/login",
+		"/api/v1/auth/register",
+		"/api/v1/auth/forgot-password",
+		"/api/v1/auth/reset-password",
+		"/api/v1/auth/forgot-password/send",
+		"/api/v1/email/verification-code/send":
 		return true
+	default:
+		return false
 	}
-	return false
 }
 
 func getHeader(headers map[string]string, key string) string {

app/users/rpc/internal/logic/validateTokenLogic.go

@@ -30,13 +30,16 @@ func NewValidateTokenLogic(ctx context.Context, svcCtx *svc.ServiceContext) *Val
 
 func (l *ValidateTokenLogic) ValidateToken(in *pb.ValidateTokenReq) (*pb.ValidateTokenResp, error) {
 
-	_, err := l.svcCtx.JwtManager.Valid(l.ctx, in.Token)
+	payload, err := l.svcCtx.JwtManager.Valid(l.ctx, in.Token)
 	if err != nil {
 		return nil, err
 	}
+	if payload == nil || payload.UserId != in.UserId {
+		return nil, errors.New("token user mismatch")
+	}
 	//users, err := l.svcCtx.UsersModelRO.FindOne(l.ctx, in.UserId)
 	user, err := l.svcCtx.UsersModelRO.Users.Query().
-		Where(users.IDEQ(in.UserId)).
+		Where(users.IDEQ(payload.UserId)).
 		Select(users.FieldCurrentRole).
 		First(l.ctx)
 	if err != nil {
@@ -52,7 +55,7 @@ func (l *ValidateTokenLogic) ValidateToken(in *pb.ValidateTokenReq) (*pb.Validat
 	return &pb.ValidateTokenResp{
 		Valid:    true,
 		Message:  "OK",
-		UserId:   in.UserId,
+		UserId:   payload.UserId,
 		RoleType: string(userJson),
 	}, nil
 }