Harden redemption flow and improve operational safety

2026-03-31 08:13:38 +08:00
parent e5bab51f98
commit de130f1052
13 changed files with 1138 additions and 106 deletions
--- a/office365_self_service/templates/user_redemption.html
+++ b/office365_self_service/templates/user_redemption.html
@@ -25,11 +25,16 @@
            </div>
            <div class="mb-3">
                <label class="form-label">用户名</label>
+                {% if settings.default_domain %}
                <div class="input-group">
                    <input type="text" class="form-control" id="usernameInput" placeholder="请输入用户名" required>
                    <span class="input-group-text">@{{ settings.default_domain }}</span>
                </div>
                <div class="form-text">请输入您想要的用户名，将自动拼接域名为完整邮箱地址</div>
+                {% else %}
+                <input type="text" class="form-control" id="usernameInput" placeholder="请输入完整邮箱地址，例如 alice@example.com" required>
+                <div class="form-text">当前未配置默认域名，请直接输入完整邮箱地址。</div>
+                {% endif %}
            </div>
            <button type="submit" class="btn btn-primary w-100" id="redeemBtn">立即开通</button>
        </div>
@@ -50,11 +55,21 @@
            <div class="alert alert-info">
                <strong>提示：</strong>首次登录后系统会要求您更改密码，请使用临时密码登录。
            </div>
+            <div class="alert alert-warning d-none" id="licenseWarning"></div>
            <button class="btn btn-outline-secondary w-100" onclick="location.reload()">开通另一个账号</button>
        </div>
    </div>

    <script>
+        function escapeHtml(value) {
+            return String(value ?? '')
+                .replace(/&/g, '&amp;')
+                .replace(/</g, '&lt;')
+                .replace(/>/g, '&gt;')
+                .replace(/"/g, '&quot;')
+                .replace(/'/g, '&#39;');
+        }
+
        document.getElementById('redeemBtn').addEventListener('click', async () => {
            const code = document.getElementById('codeInput').value.trim();
            const username = document.getElementById('usernameInput').value.trim();
@@ -81,8 +96,16 @@
                    document.getElementById('successResult').classList.remove('d-none');
                    document.getElementById('resultEmail').textContent = data.data.userPrincipalName;
                    document.getElementById('resultPassword').textContent = data.data.temporaryPassword;
+                    const licenseWarning = document.getElementById('licenseWarning');
+                    if (data.data.licenseAssigned === false && data.data.licenseMessage) {
+                        licenseWarning.textContent = data.data.licenseMessage;
+                        licenseWarning.classList.remove('d-none');
+                    } else {
+                        licenseWarning.classList.add('d-none');
+                        licenseWarning.textContent = '';
+                    }
                } else {
-                    document.getElementById('message').innerHTML = `<div class="alert alert-danger">${data.message}</div>`;
+                    document.getElementById('message').innerHTML = `<div class="alert alert-danger">${escapeHtml(data.message)}</div>`;
                    btn.disabled = false;
                    btn.textContent = '立即开通';
                }
@@ -94,4 +117,4 @@
        });
    </script>
 </body>
-</html>
+</html>