From b7ac9bbfa19ff23499a1b750e509e7a4dc7cb974 Mon Sep 17 00:00:00 2001 From: Pig Fang Date: Mon, 30 Mar 2020 10:01:37 +0800 Subject: [PATCH] add signature check for visiting "reset" page --- app/Http/Controllers/AuthController.php | 4 +++- .../ControllersTest/AuthControllerTest.php | 16 +++++++++++++--- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/app/Http/Controllers/AuthController.php b/app/Http/Controllers/AuthController.php index 027bc5d1..3c1143bd 100644 --- a/app/Http/Controllers/AuthController.php +++ b/app/Http/Controllers/AuthController.php @@ -279,8 +279,10 @@ class AuthController extends Controller return json(trans('auth.forgot.success'), 0); } - public function reset($uid) + public function reset(Request $request, $uid) { + abort_unless($request->hasValidSignature(false), 403, trans('auth.reset.invalid')); + return view('auth.reset')->with('user', User::find($uid)); } diff --git a/tests/HttpTest/ControllersTest/AuthControllerTest.php b/tests/HttpTest/ControllersTest/AuthControllerTest.php index 48431dc5..a78fdfcf 100644 --- a/tests/HttpTest/ControllersTest/AuthControllerTest.php +++ b/tests/HttpTest/ControllersTest/AuthControllerTest.php @@ -602,10 +602,20 @@ class AuthControllerTest extends TestCase public function testReset() { $user = factory(User::class)->create(); + $url = URL::temporarySignedRoute( + 'auth.reset', + now()->addHour(), + ['uid' => $user->uid], + false + ); + $this->get($url)->assertSuccessful(); - $this->get( - URL::temporarySignedRoute('auth.reset', now()->addHour(), ['uid' => $user->uid]) - )->assertSuccessful(); + $url = URL::temporarySignedRoute( + 'auth.reset', + now()->addHour(), + ['uid' => $user->uid] + ); + $this->get($url)->assertForbidden(); } public function testHandleReset()