feat: add email verify code endpoint and require code on register

- POST /v1/user/email/code sends a 6-digit verify code via email (rate-limited, 10min TTL)
- RegisterByEmail now validates verify_code before creating the account
- Added email code cache helpers mirroring SMS pattern
- Added error codes 1007 (email code error) and 1008 (send limit)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/service/user_service.go

@@ -14,6 +14,7 @@ import (
 	"gitea.com/texpixel/document_ai/internal/storage/cache"
 	"gitea.com/texpixel/document_ai/internal/storage/dao"
 	"gitea.com/texpixel/document_ai/pkg/common"
+	"gitea.com/texpixel/document_ai/pkg/email"
 	"gitea.com/texpixel/document_ai/pkg/log"
 	"gitea.com/texpixel/document_ai/pkg/sms"
 	"golang.org/x/crypto/bcrypt"
@@ -115,14 +116,57 @@ func (svc *UserService) GetUserInfo(ctx context.Context, uid int64) (*dao.User,
 	return user, nil
 }
 
-func (svc *UserService) RegisterByEmail(ctx context.Context, email, password string) (uid int64, err error) {
-	existingUser, err := svc.userDao.GetByEmail(dao.DB.WithContext(ctx), email)
+func (svc *UserService) SendEmailVerifyCode(ctx context.Context, emailAddr string) error {
+	limit, err := cache.GetUserSendEmailLimit(ctx, emailAddr)
+	if err != nil {
+		log.Error(ctx, "func", "SendEmailVerifyCode", "msg", "get send email limit error", "error", err)
+		return err
+	}
+	if limit >= cache.UserSendEmailLimitCount {
+		return common.ErrEmailSendLimit
+	}
+
+	code := fmt.Sprintf("%06d", rand.Intn(1000000))
+
+	subject := "Your verification code"
+	body := fmt.Sprintf("Your verification code is: %s\nIt will expire in 10 minutes.", code)
+	if err := email.Send(ctx, emailAddr, subject, body); err != nil {
+		log.Error(ctx, "func", "SendEmailVerifyCode", "msg", "send email error", "error", err)
+		return err
+	}
+
+	if cacheErr := cache.SetUserEmailCode(ctx, emailAddr, code); cacheErr != nil {
+		log.Error(ctx, "func", "SendEmailVerifyCode", "msg", "set email code error", "error", cacheErr)
+	}
+	if cacheErr := cache.SetUserSendEmailLimit(ctx, emailAddr); cacheErr != nil {
+		log.Error(ctx, "func", "SendEmailVerifyCode", "msg", "set send email limit error", "error", cacheErr)
+	}
+	return nil
+}
+
+func (svc *UserService) RegisterByEmail(ctx context.Context, emailAddr, password, verifyCode string) (uid int64, err error) {
+	storedCode, err := cache.GetUserEmailCode(ctx, emailAddr)
+	if err != nil {
+		log.Error(ctx, "func", "RegisterByEmail", "msg", "get email code error", "error", err)
+		return 0, err
+	}
+	if storedCode == "" || storedCode != verifyCode {
+		return 0, common.ErrEmailCodeError
+	}
+
+	_ = cache.DeleteUserEmailCode(ctx, emailAddr)
+
+	return svc.registerByEmailInternal(ctx, emailAddr, password)
+}
+
+func (svc *UserService) registerByEmailInternal(ctx context.Context, emailAddr, password string) (uid int64, err error) {
+	existingUser, err := svc.userDao.GetByEmail(dao.DB.WithContext(ctx), emailAddr)
 	if err != nil {
 		log.Error(ctx, "func", "RegisterByEmail", "msg", "get user by email error", "error", err)
 		return 0, err
 	}
 	if existingUser != nil {
-		log.Warn(ctx, "func", "RegisterByEmail", "msg", "email already registered", "email", email)
+		log.Warn(ctx, "func", "RegisterByEmail", "msg", "email already registered", "email", emailAddr)
 		return 0, common.ErrEmailExists
 	}
 
@@ -133,7 +177,7 @@ func (svc *UserService) RegisterByEmail(ctx context.Context, email, password str
 	}
 
 	user := &dao.User{
-		Email:    email,
+		Email:    emailAddr,
 		Password: string(hashedPassword),
 	}
 	err = svc.userDao.Create(dao.DB.WithContext(ctx), user)