feat(comments): enforce guest email anonymity rules

Add guest email validation with anonymous-mode exceptions and persist guestEmail/guestIsAnonymous in comment creation. Update comment form to collect anonymous and email fields for guests and reset them after successful submit. Made-with: Cursor
3 weeks ago · b7c87d2d95
6 changed files with 75 additions and 1 deletions
--- a/app/components/PostComments.vue
+++ b/app/components/PostComments.vue
@ -81,6 +81,8 @@ function flattenTree(nodes: CommentNode[], depth = 0): Array<{ node: CommentNode
 const replyToId = ref<number | null>(null)
 const draftBody = ref('')
 const guestName = ref('')
 const guestEmail = ref('')
 const guestIsAnonymous = ref(false)
 const submitting = ref(false)
 function authorLine(node: CommentNode): string {
@ -129,6 +131,10 @@ async function submitComment() {
      toast.add({ title: '请填写昵称', color: 'error' })
      return
    }
    if (!guestIsAnonymous.value && !guestEmail.value.trim()) {
      toast.add({ title: '请填写邮箱', color: 'error' })
      return
    }
  }
  submitting.value = true
@ -136,7 +142,13 @@ async function submitComment() {
    const payload = {
      parentId: replyToId.value,
      body: draftBody.value,
-      ...(loggedIn.value ? {} : { guestDisplayName: guestName.value.trim() }),
+      ...(loggedIn.value
        ? {}
        : {
            guestDisplayName: guestName.value.trim(),
            guestEmail: guestEmail.value.trim(),
            guestIsAnonymous: guestIsAnonymous.value,
          }),
    }
    await fetchData<{ id: number }>(`${base}/comments`, {
@ -146,6 +158,8 @@ async function submitComment() {
    draftBody.value = ''
    guestName.value = ''
    guestEmail.value = ''
    guestIsAnonymous.value = false
    replyToId.value = null
    await refreshComments()
    toast.add({ title: '评论已发送', color: 'success' })
@ -223,6 +237,14 @@ async function submitComment() {
      </template>
      <template v-else>
        <UInput v-model="guestName" placeholder="你的昵称" class="w-full max-w-md" />
        <UInput
          v-model="guestEmail"
          type="email"
          :required="!guestIsAnonymous"
          :placeholder="guestIsAnonymous ? '你的邮箱（匿名时可选）' : '你的邮箱（必填）'"
          class="w-full max-w-md"
        />
        <UCheckbox v-model="guestIsAnonymous" label="匿名评论" />
        <UTextarea v-model="draftBody" placeholder="写下你的评论…" :rows="4" class="w-full" />
        <UButton :loading="submitting" label="发表" @click="submitComment" />
      </template>
--- a/server/api/public/profile/[publicSlug]/posts/[postSlug]/comments.post.ts
+++ b/server/api/public/profile/[publicSlug]/posts/[postSlug]/comments.post.ts
@ -26,6 +26,8 @@ export default defineEventHandler(async (event) => {
  const body = await readBody<{
    parentId?: number | null;
    guestDisplayName?: string;
    guestEmail?: string;
    guestIsAnonymous?: boolean;
    body: unknown;
  }>(event);
@ -48,6 +50,8 @@ export default defineEventHandler(async (event) => {
    parentId,
    viewer,
    guestDisplayName: typeof body.guestDisplayName === "string" ? body.guestDisplayName : undefined,
    guestEmail: typeof body.guestEmail === "string" ? body.guestEmail : undefined,
    guestIsAnonymous: body.guestIsAnonymous === true,
    body: body.body,
  });
--- a/server/api/public/unlisted/[publicSlug]/[shareToken]/comments.post.ts
+++ b/server/api/public/unlisted/[publicSlug]/[shareToken]/comments.post.ts
@ -26,6 +26,8 @@ export default defineEventHandler(async (event) => {
  const body = await readBody<{
    parentId?: number | null;
    guestDisplayName?: string;
    guestEmail?: string;
    guestIsAnonymous?: boolean;
    body: unknown;
  }>(event);
@ -48,6 +50,8 @@ export default defineEventHandler(async (event) => {
    parentId,
    viewer,
    guestDisplayName: typeof body.guestDisplayName === "string" ? body.guestDisplayName : undefined,
    guestEmail: typeof body.guestEmail === "string" ? body.guestEmail : undefined,
    guestIsAnonymous: body.guestIsAnonymous === true,
    body: body.body,
  });
--- a/server/service/post-comments/index.ts
+++ b/server/service/post-comments/index.ts
@ -7,6 +7,7 @@ import {
  GuestCommentValidationError,
  normalizeGuestDisplayName,
  validateGuestCommentBody,
  validateGuestCommentEmail,
 } from "#server/utils/post-comment-guest";
 import type { MinimalUser } from "#server/service/auth";
@ -128,6 +129,8 @@ export async function createComment(input: {
  parentId: number | null;
  viewer: MinimalUser | null;
  guestDisplayName?: string;
  guestEmail?: string;
  guestIsAnonymous?: boolean;
  body: string;
 }): Promise<number> {
  if (input.parentId != null) {
@ -144,6 +147,8 @@ export async function createComment(input: {
  let kind: string;
  let authorUserId: number | null;
  let guestDisplayName: string | null;
  let guestEmail: string | null;
  let guestIsAnonymous: boolean;
  let body: string;
  if (input.viewer != null) {
@ -157,10 +162,14 @@ export async function createComment(input: {
    kind = "user";
    authorUserId = input.viewer.id;
    guestDisplayName = null;
    guestEmail = null;
    guestIsAnonymous = false;
  } else {
    try {
      guestIsAnonymous = input.guestIsAnonymous === true;
      guestDisplayName = normalizeGuestDisplayName(input.guestDisplayName ?? "");
      body = validateGuestCommentBody(input.body);
      guestEmail = validateGuestCommentEmail(input.guestEmail, guestIsAnonymous);
    } catch (e) {
      if (e instanceof GuestCommentValidationError) {
        throw createError({ statusCode: 400, statusMessage: e.message });
@ -178,6 +187,8 @@ export async function createComment(input: {
    parentId: input.parentId,
    authorUserId,
    guestDisplayName,
    guestEmail,
    guestIsAnonymous,
    body,
    kind,
  });
--- a/server/utils/post-comment-guest.test.ts
+++ b/server/utils/post-comment-guest.test.ts
@ -2,6 +2,7 @@ import { describe, expect, test } from "bun:test";
 import {
  GuestCommentValidationError,
  normalizeGuestDisplayName,
  validateGuestCommentEmail,
  validateGuestCommentBody,
 } from "./post-comment-guest";
@ -36,3 +37,21 @@ describe("validateGuestCommentBody", () => {
    expect(() => validateGuestCommentBody("z".repeat(501))).toThrow(GuestCommentValidationError);
  });
 });
 describe("validateGuestCommentEmail", () => {
  test("accepts empty email when anonymous", () => {
    expect(validateGuestCommentEmail("", true)).toBeNull();
  });
  test("requires email when not anonymous", () => {
    expect(() => validateGuestCommentEmail("", false)).toThrow(GuestCommentValidationError);
  });
  test("rejects invalid email when not anonymous", () => {
    expect(() => validateGuestCommentEmail("invalid-email", false)).toThrow(GuestCommentValidationError);
  });
  test("accepts valid email when not anonymous", () => {
    expect(validateGuestCommentEmail("  guest@example.com  ", false)).toBe("guest@example.com");
  });
 });
--- a/server/utils/post-comment-guest.ts
+++ b/server/utils/post-comment-guest.ts
@ -36,3 +36,17 @@ export function validateGuestCommentBody(raw: string): string {
  }
  return t;
 }
 export function validateGuestCommentEmail(raw: string | undefined, guestIsAnonymous: boolean): string | null {
  const t = (raw ?? "").trim();
  if (guestIsAnonymous && !t) {
    return null;
  }
  if (!t) {
    throw new GuestCommentValidationError("请填写邮箱");
  }
  if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(t)) {
    throw new GuestCommentValidationError("邮箱格式不合法");
  }
  return t;
 }