feat: replace sha1 with sha256

This commit is contained in:
hans362 2026-03-11 16:47:49 +08:00
parent 5b482f2468
commit 3439917b33
No known key found for this signature in database
GPG Key ID: B186D77ABEC2A785
4 changed files with 8 additions and 8 deletions

View File

@ -350,14 +350,14 @@ class AuthController extends Controller
throw new PrettyPageException(trans('user.verification.disabled'), 1);
}
abort_unless($request->hasValidSignature(false) && hash_equals((string)$request->route('hash'), sha1($user->email)), 403, trans('auth.verify.invalid'));
abort_unless($request->hasValidSignature(false) && hash_equals((string)$request->route('hash'), hash('sha256', $user->email)), 403, trans('auth.verify.invalid'));
return view('auth.verify');
}
public function handleVerify(Request $request, User $user)
{
abort_unless($request->hasValidSignature(false) && hash_equals((string)$request->route('hash'), sha1($user->email)), 403, trans('auth.verify.invalid'));
abort_unless($request->hasValidSignature(false) && hash_equals((string)$request->route('hash'), hash('sha256', $user->email)), 403, trans('auth.verify.invalid'));
['email' => $email] = $request->validate(['email' => 'required|email']);

View File

@ -157,7 +157,7 @@ class UserController extends Controller
return json(trans('user.verification.verified'), 1);
}
$url = URL::temporarySignedRoute('auth.verify', Carbon::now()->addHour(), ['user' => $user, 'hash' => sha1($user->email)], false);
$url = URL::temporarySignedRoute('auth.verify', Carbon::now()->addHour(), ['user' => $user, 'hash' => hash('sha256', $user->email)], false);
try {
Mail::to($user->email)->send(new EmailVerification(url($url)));

View File

@ -13,7 +13,7 @@ class SendEmailVerification
public function handle(User $user)
{
if (option('require_verification')) {
$url = URL::temporarySignedRoute('auth.verify', Carbon::now()->addHour(), ['user' => $user, 'hash' => sha1($user->email)], false);
$url = URL::temporarySignedRoute('auth.verify', Carbon::now()->addHour(), ['user' => $user, 'hash' => hash('sha256', $user->email)], false);
try {
Mail::to($user->email)->send(new EmailVerification(url($url)));

View File

@ -724,7 +724,7 @@ class AuthControllerTest extends TestCase
public function testVerify()
{
$url = URL::temporarySignedRoute('auth.verify', Carbon::now()->addHour(), ['user' => 1, 'hash' => sha1('a@b.c')], false);
$url = URL::temporarySignedRoute('auth.verify', Carbon::now()->addHour(), ['user' => 1, 'hash' => hash('sha256', 'a@b.c')], false);
// should be forbidden if account verification is disabled
option(['require_verification' => false]);
@ -732,17 +732,17 @@ class AuthControllerTest extends TestCase
option(['require_verification' => true]);
// invalid link
$this->get(route('auth.verify', ['user' => 1, 'hash' => sha1('a@b.c')]))->assertForbidden();
$this->get(route('auth.verify', ['user' => 1, 'hash' => hash('sha256', 'a@b.c')]))->assertForbidden();
$user = User::factory()->create(['verified' => false]);
$url = URL::temporarySignedRoute('auth.verify', Carbon::now()->addHour(), ['user' => $user, 'hash' => sha1($user->email)], false);
$url = URL::temporarySignedRoute('auth.verify', Carbon::now()->addHour(), ['user' => $user, 'hash' => hash('sha256', $user->email)], false);
$this->get($url)->assertViewIs('auth.verify');
}
public function testHandleVerify()
{
$user = User::factory()->create(['verified' => false]);
$url = URL::temporarySignedRoute('auth.verify', Carbon::now()->addHour(), ['user' => $user, 'hash' => sha1($user->email)], false);
$url = URL::temporarySignedRoute('auth.verify', Carbon::now()->addHour(), ['user' => $user, 'hash' => hash('sha256', $user->email)], false);
// empty email
$this->post($url, [], ['Referer' => $url])->assertRedirect($url);