blessing-skin-server

Author	SHA1	Message	Date
shhzhang	3d42aab16d	[Security] Dynamic Email Verification & Password Reset Links Problem 1. Static Signature Vulnerability: - Email verification links used a static signature algorithm (same link for lifetime), allowing account hijacking if links were leaked. - Worst-case scenario: Compromised AppKey + leaked link → full-site account under danger. 2. Overly Long Reset Window: - Password reset links remained valid for 1 hour, enabling attackers to hijack accounts if intercepted. - Worst-case scenario: Compromised AppKey + leaked link → full-site account account take over. Solution - Email Verification: - Replaced static signatures with HMAC-SHA256 + timestamp + nonce. - Links are now one-time-use and expire immediately after verification. - Password Reset: - Reduced validity window from 1h → 5 minutes. - Added rate limiting to prevent brute-force attacks. Impact - Closed Communities: Critical for real-name systems (e.g., gaming, enterprise). - AppKey Leak Mitigation: Even with leaked AppKey, intercepted links are now useless. The commit message is translated by Deepseek due to my poor English.	2026-01-24 23:16:39 +08:00
SANYE-YA	33055ecbf9	fix avatar (refactor needed) (#666 )	2025-08-07 05:08:13 +08:00
Steven Qiu	2e39fbce77	fix: avatar (refactor needed)	2025-07-31 19:59:29 +08:00
Steven Qiu	1b3b020d52	fix: make imagick sanitize result stable	2025-07-27 03:34:35 +08:00
Steven Qiu	33d805ee82	fix: skinlib 2d preview (refactor needed)	2025-07-26 21:38:33 +08:00
Steven Qiu	064b0967fc	chore: complete Facade namespaces in use statements	2025-07-02 19:29:19 +08:00
Steven Qiu	d8547a0a3d	refactor: use Intervention/Image to sanitize textures	2025-07-02 19:12:46 +08:00
Steven Qiu	761cbb7828	feat: max texture width & texture sanitize (#662 ) * feat: sanitize uploaded file when user upload texture * feat: limit max texture width to avoid png bomb * style: apply php-cs-fixer fixes * chore: set default value for max_texture_width option * Update skinlib.yml Co-authored-by: Pig Fang <g-plane@hotmail.com> --------- Co-authored-by: Pig Fang <g-plane@hotmail.com>	2025-06-29 16:09:55 +08:00
Steven Qiu	24ad29ea99	style: apply php-cs-fixer fixes	2025-06-26 21:16:56 +08:00
Asnxthaony	169ca11030	BREAKING: get ready for Laravel 10	2023-05-30 14:56:27 +08:00
Pig Fang	eff859a864	update php-cs-fixer config & apply fixes	2023-01-16 23:15:41 +08:00
Asnxthaony	e965a53c18	feat(closet): add sanity check on closet management	2022-07-05 17:09:06 +08:00
Asnxthaony	1a7f76ea69	fix(skinlib): cast `allow_downloading_texture` to boolean	2022-07-04 19:11:05 +08:00
graywolf	663d9120b6	feat: sort closet by desc (#412 ) for consistency with skinlib	2022-06-03 20:11:59 +08:00
mochaaP	2452ed06da	chore: new copyright footer options (#392 ) Squashed commit of the following: commit ea640e77447e5a120f679c0b8f27d048487dd560 Author: Cinnamoroll-Rabbit <101342651+Cinnamoroll-Rabbit@users.noreply.github.com> Date: Sat Apr 16 23:16:00 2022 +0800 chore: new copyright footer options	2022-04-17 02:17:54 +08:00
Pig Fang	11a2c602ee	fix rendering content policy	2021-12-14 23:23:13 +08:00
Pig Fang	efa20f4940	fix test	2021-12-12 18:13:39 +08:00
Pig Fang	e89b65afdf	fix chart data (fix #336 )	2021-08-22 19:27:34 +08:00
Pig Fang	6db0a0adeb	change date format of chart in admin panel	2021-08-22 18:14:56 +08:00
Pig Fang	baf4921479	new player name rule: allow UTF-8	2021-07-25 13:14:08 +08:00
Pig Fang	073da66623	support toggling dark mode	2021-06-06 18:07:08 +08:00
Pig Fang	c4e292c877	fix resolving report with non-existing reporter	2021-05-04 18:32:35 +08:00
Pig Fang	b7af1ebf19	fix: check texture size for capes	2021-05-04 18:20:24 +08:00
Pig Fang	6226784b10	apply php-cs-fixer fixes	2021-05-04 18:17:45 +08:00
Pig Fang	1db946e372	fix panic on empty notification content	2021-02-17 22:40:02 +08:00
Pig Fang	89bb2b4db9	reject single-layer alex texture	2021-02-13 15:19:12 +08:00
Pig Fang	6f97c1efcc	remove usage of `iconv`	2021-01-30 17:31:43 +08:00
Pig Fang	eae6ff887c	remove "tymon/jwt-auth" package	2021-01-30 16:43:14 +08:00
Pig Fang	66eb658410	generate asset tags at compile time	2020-10-31 10:43:47 +08:00
Pig Fang	9bfc0e6076	don't allow to render avatar for non-skin texture	2020-10-18 12:12:28 +08:00
Pig Fang	a5921770f0	use PHP 7.4 syntaxes	2020-10-14 09:48:45 +08:00
Pig Fang	1d82dcb5df	require submitting email when verifying email	2020-08-31 19:48:31 +08:00
Pig Fang	8f731e9031	parsedown -> commonmark	2020-08-20 10:28:27 +08:00
Pig Fang	d75a7d3ead	fix that private texture can be used as avatar	2020-08-20 10:14:38 +08:00
Pig Fang	963334e5ee	refactor access control	2020-08-20 08:53:43 +08:00
Pig Fang	5b738ffe6f	refactor SkinlibController	2020-08-20 08:48:53 +08:00
Pig Fang	0f791f42cc	tweak UI text	2020-08-19 17:58:31 +08:00
Pig Fang	bf860d6a68	fix that texture isn't checked if it's existed in closet when being applied to player	2020-08-19 12:13:19 +08:00
Pig Fang	e9dbb5f713	fix status code for private texture	2020-08-14 10:32:08 +08:00
Pig Fang	76a78e187f	fix message for private textures doesn't match with HTTP status code	2020-08-08 09:31:31 +08:00
Pig Fang	353db6f250	fix previews and avatars cannot be indivdually cached by image format fix #212	2020-07-29 18:38:21 +08:00
Pig Fang	f607ba8a41	add API of fetching avatar and preview by texture hash	2020-07-29 10:57:53 +08:00
Pig Fang	b5a1f2ffc2	fix duplication of private textures (fix #194 )	2020-07-20 23:08:28 +08:00
Pig Fang	feda32b726	allow to customize `perPage` at closet	2020-07-04 09:30:57 +08:00
Pig Fang	a28abb70ac	add skeleton	2020-07-03 19:10:45 +08:00
Pig Fang	ffef98ad2e	refactor update	2020-06-24 10:49:53 +08:00
Pig Fang	94a28806e1	refactor	2020-06-22 10:17:08 +08:00
Pig Fang	ef7dfd2a71	extract "disable-registration" as plugin	2020-06-19 19:05:51 +08:00
Pig Fang	6568ed311d	tweak routes of i18n management	2020-06-16 09:50:30 +08:00
Pig Fang	d018f207f3	remove unnecessary SQL queries	2020-06-11 15:34:18 +08:00

1 2 3 4 5 ...

619 Commits