睡觉塞牙
7717a1f93f
Merge 3d42aab16d into 52f6fefed0
2026-04-03 14:55:38 +00:00
Pig Fang
52f6fefed0
chore: remove unavailable sponsor info
2026-03-30 21:42:23 +08:00
Steven Qiu
840555df42
make tests happy
2026-03-09 23:13:47 +08:00
Steven Qiu
9aa867e8aa
refactor: do not catch exceptions when cannot read options
2026-03-09 20:21:43 +08:00
shhzhang
3d42aab16d
[Security] Dynamic Email Verification & Password Reset Links
...
**Problem**
1. **Static Signature Vulnerability**:
- Email verification links used a static signature algorithm (same link for lifetime), allowing account hijacking if links were leaked.
- *Worst-case scenario*: Compromised AppKey + leaked link → full-site account under danger.
2. **Overly Long Reset Window**:
- Password reset links remained valid for 1 hour, enabling attackers to hijack accounts if intercepted.
- *Worst-case scenario*: Compromised AppKey + leaked link → full-site account account take over.
**Solution**
- **Email Verification**:
- Replaced static signatures with **HMAC-SHA256 + timestamp + nonce**.
- Links are now **one-time-use** and expire immediately after verification.
- **Password Reset**:
- Reduced validity window from 1h → **5 minutes**.
- Added rate limiting to prevent brute-force attacks.
**Impact**
- **Closed Communities**: Critical for real-name systems (e.g., gaming, enterprise).
- **AppKey Leak Mitigation**: Even with leaked AppKey, intercepted links are now useless.
The commit message is translated by Deepseek due to my poor English.
2026-01-24 23:16:39 +08:00
Steven Qiu
d70b39f445
feat: add Auto-Submitted header to emails
...
@see https://datatracker.ietf.org/doc/html/rfc3834
Hopefully this could prevent sender being spammed by auto replies...
2025-10-09 01:54:37 +08:00
SANYE-YA
33055ecbf9
fix avatar (refactor needed) ( #666 )
2025-08-07 05:08:13 +08:00
Steven Qiu
2e39fbce77
fix: avatar (refactor needed)
2025-07-31 19:59:29 +08:00
Steven Qiu
1b3b020d52
fix: make imagick sanitize result stable
2025-07-27 03:34:35 +08:00
Steven Qiu
33d805ee82
fix: skinlib 2d preview (refactor needed)
2025-07-26 21:38:33 +08:00
Steven Qiu
57c02dd51c
fix: check if imagick installed
2025-07-25 17:43:53 +08:00
Steven Qiu
5b6bb98860
chore: update README
2025-07-25 17:39:02 +08:00
Steven Qiu
c01112a6c1
chore: use imagick for Intervention\Image
2025-07-25 17:13:54 +08:00
Steven Qiu
064b0967fc
chore: complete Facade namespaces in use statements
2025-07-02 19:29:19 +08:00
Steven Qiu
9f4c59abec
chore: no .DS_Store [skip ci]
2025-07-02 19:29:19 +08:00
Steven Qiu
d8547a0a3d
refactor: use Intervention/Image to sanitize textures
2025-07-02 19:12:46 +08:00
Steven Qiu
9c51bd602b
chore: remove redundant VSCode launch profile
2025-06-29 16:50:14 +08:00
Steven Qiu
bc3f504ca3
chore: ci
2025-06-29 16:50:14 +08:00
Steven Qiu
761cbb7828
feat: max texture width & texture sanitize ( #662 )
...
* feat: sanitize uploaded file when user upload texture
* feat: limit max texture width to avoid png bomb
* style: apply php-cs-fixer fixes
* chore: set default value for max_texture_width option
* Update skinlib.yml
Co-authored-by: Pig Fang <g-plane@hotmail.com>
---------
Co-authored-by: Pig Fang <g-plane@hotmail.com>
2025-06-29 16:09:55 +08:00
Steven Qiu
01fe3eb4cb
chore: set filename for ci snapshot build artifact
2025-06-28 17:48:16 +08:00
Steven Qiu
f03dd8122b
chore: remove redundant command in ci
2025-06-28 17:47:28 +08:00
Steven Qiu
cfda2a6bf8
style: apply php-cs-fixer fixes
2025-06-28 06:17:40 +08:00
Steven Qiu
74ce668221
fix: phpunit test
2025-06-28 06:16:49 +08:00
Steven Qiu
5a18d24464
fix: db exception in tests
2025-06-28 03:46:17 +08:00
Steven Qiu
5125862f80
fix: unexpected db query during composer install
2025-06-27 19:23:20 +08:00
Steven Qiu
fa791857ec
fix: ci snapshot build
2025-06-26 21:47:35 +08:00
Steven Qiu
24ad29ea99
style: apply php-cs-fixer fixes
2025-06-26 21:16:56 +08:00
Steven Qiu
cdfb972bd0
fix: scopes missing after cache clear
2025-06-26 21:15:53 +08:00
Zephyr Lykos
1985ce6ff8
config: switch default registry
2025-06-25 22:57:43 +08:00
Steven Qiu
d84eb65d55
Handle null route when request is handled by middleware
2025-06-22 21:50:57 +08:00
Steven Qiu
16474fb5d0
Remove locale cookie for API requests ( #660 )
...
* Do not set locale cookie for API requests
https://t.me/blessing_skin/184899
* Remove redundant code
2025-06-22 17:48:48 +08:00
Jerry
186138b884
Fix Netlify links ( #656 )
...
* Update README-zh.md
fix: wrong link
* Fix Netlify link
---------
Co-authored-by: Steven Qiu <tnqzh123@littlesk.in>
2025-06-22 17:40:50 +08:00
Zephyr Lykos
9ca6e37e39
chore: update deps
2025-01-18 16:44:33 +08:00
Steven Qiu
866e182c31
Fix #583 ( #584 )
2024-01-12 20:44:58 +08:00
Zephyr Lykos
739b9c97d7
tests: fix CheckRoleTest warning
2024-01-12 20:41:37 +08:00
Zephyr Lykos
0a43c5aa67
style: format code
2024-01-12 20:37:11 +08:00
Zephyr Lykos
35bd4524e6
ci: bump snapshot builds to PHP 8.2
2024-01-12 20:35:16 +08:00
Zephyr Lykos
eba91d5f1d
chore: update frontend deps
2024-01-12 20:31:53 +08:00
Zephyr Lykos
d764836244
ci: update deps
2024-01-12 20:31:37 +08:00
Zephyr Lykos
b1b4a71c3e
chore: update deps
2024-01-12 20:24:47 +08:00
Zephyr Lykos
fb74b43d64
upgrade dependencies
2023-08-26 14:29:53 +08:00
Zephyr Lykos
2a24506c15
config: switch default registry to CloudFront
2023-07-22 15:10:29 +08:00
Asnxthaony
f436c056e0
fix: load PluginServiceProvider first
2023-05-31 16:47:56 +08:00
Asnxthaony
77b58de7ef
update to checkout@v3
2023-05-30 17:57:08 +08:00
Asnxthaony
f5a5367e3e
fix ci
2023-05-30 17:42:45 +08:00
Asnxthaony
b811a7ae41
BREAKING: increase PHP version requirement to 8.1.0
2023-05-30 16:43:57 +08:00
Asnxthaony
d96dff1144
revert auto load Console commands
2023-05-30 15:09:39 +08:00
Asnxthaony
169ca11030
BREAKING: get ready for Laravel 10
2023-05-30 14:56:27 +08:00
Asnxthaony
b25b7588a9
use twig 3 & upgrade dependencies
2023-05-30 13:19:17 +08:00
Asnxthaony
46cccdb708
feat: generate source maps for production
2023-05-27 00:39:09 +08:00