睡觉塞牙
7717a1f93f
Merge 3d42aab16d into 52f6fefed0
2026-04-03 14:55:38 +00:00
Steven Qiu
840555df42
make tests happy
2026-03-09 23:13:47 +08:00
Steven Qiu
9aa867e8aa
refactor: do not catch exceptions when cannot read options
2026-03-09 20:21:43 +08:00
shhzhang
3d42aab16d
[Security] Dynamic Email Verification & Password Reset Links
...
**Problem**
1. **Static Signature Vulnerability**:
- Email verification links used a static signature algorithm (same link for lifetime), allowing account hijacking if links were leaked.
- *Worst-case scenario*: Compromised AppKey + leaked link → full-site account under danger.
2. **Overly Long Reset Window**:
- Password reset links remained valid for 1 hour, enabling attackers to hijack accounts if intercepted.
- *Worst-case scenario*: Compromised AppKey + leaked link → full-site account account take over.
**Solution**
- **Email Verification**:
- Replaced static signatures with **HMAC-SHA256 + timestamp + nonce**.
- Links are now **one-time-use** and expire immediately after verification.
- **Password Reset**:
- Reduced validity window from 1h → **5 minutes**.
- Added rate limiting to prevent brute-force attacks.
**Impact**
- **Closed Communities**: Critical for real-name systems (e.g., gaming, enterprise).
- **AppKey Leak Mitigation**: Even with leaked AppKey, intercepted links are now useless.
The commit message is translated by Deepseek due to my poor English.
2026-01-24 23:16:39 +08:00
Steven Qiu
d70b39f445
feat: add Auto-Submitted header to emails
...
@see https://datatracker.ietf.org/doc/html/rfc3834
Hopefully this could prevent sender being spammed by auto replies...
2025-10-09 01:54:37 +08:00
SANYE-YA
33055ecbf9
fix avatar (refactor needed) ( #666 )
2025-08-07 05:08:13 +08:00
Steven Qiu
2e39fbce77
fix: avatar (refactor needed)
2025-07-31 19:59:29 +08:00
Steven Qiu
1b3b020d52
fix: make imagick sanitize result stable
2025-07-27 03:34:35 +08:00
Steven Qiu
33d805ee82
fix: skinlib 2d preview (refactor needed)
2025-07-26 21:38:33 +08:00
Steven Qiu
064b0967fc
chore: complete Facade namespaces in use statements
2025-07-02 19:29:19 +08:00
Steven Qiu
d8547a0a3d
refactor: use Intervention/Image to sanitize textures
2025-07-02 19:12:46 +08:00
Steven Qiu
761cbb7828
feat: max texture width & texture sanitize ( #662 )
...
* feat: sanitize uploaded file when user upload texture
* feat: limit max texture width to avoid png bomb
* style: apply php-cs-fixer fixes
* chore: set default value for max_texture_width option
* Update skinlib.yml
Co-authored-by: Pig Fang <g-plane@hotmail.com>
---------
Co-authored-by: Pig Fang <g-plane@hotmail.com>
2025-06-29 16:09:55 +08:00
Steven Qiu
cfda2a6bf8
style: apply php-cs-fixer fixes
2025-06-28 06:17:40 +08:00
Steven Qiu
5a18d24464
fix: db exception in tests
2025-06-28 03:46:17 +08:00
Steven Qiu
5125862f80
fix: unexpected db query during composer install
2025-06-27 19:23:20 +08:00
Steven Qiu
24ad29ea99
style: apply php-cs-fixer fixes
2025-06-26 21:16:56 +08:00
Steven Qiu
cdfb972bd0
fix: scopes missing after cache clear
2025-06-26 21:15:53 +08:00
Steven Qiu
d84eb65d55
Handle null route when request is handled by middleware
2025-06-22 21:50:57 +08:00
Steven Qiu
16474fb5d0
Remove locale cookie for API requests ( #660 )
...
* Do not set locale cookie for API requests
https://t.me/blessing_skin/184899
* Remove redundant code
2025-06-22 17:48:48 +08:00
Steven Qiu
866e182c31
Fix #583 ( #584 )
2024-01-12 20:44:58 +08:00
Zephyr Lykos
0a43c5aa67
style: format code
2024-01-12 20:37:11 +08:00
Asnxthaony
b811a7ae41
BREAKING: increase PHP version requirement to 8.1.0
2023-05-30 16:43:57 +08:00
Asnxthaony
d96dff1144
revert auto load Console commands
2023-05-30 15:09:39 +08:00
Asnxthaony
169ca11030
BREAKING: get ready for Laravel 10
2023-05-30 14:56:27 +08:00
Asnxthaony
a13879f2df
fix: use unique routes name
2023-05-27 00:36:01 +08:00
Pig Fang
5c4afe8f80
update middlewares
2023-01-29 11:59:30 +08:00
Pig Fang
bebdea9c20
user menu can be controlled by plugins
2023-01-26 09:37:23 +08:00
Pig Fang
82dd87703f
first argument of option() function is required
2023-01-25 11:45:33 +08:00
Pig Fang
eff859a864
update php-cs-fixer config & apply fixes
2023-01-16 23:15:41 +08:00
Pig Fang
64dea61ec9
refactor
2023-01-16 23:06:31 +08:00
Asnxthaony
564672b436
fix: allow logout when user are banned
2022-12-29 12:06:58 +08:00
Asnxthaony
e965a53c18
feat(closet): add sanity check on closet management
2022-07-05 17:09:06 +08:00
Asnxthaony
1a7f76ea69
fix(skinlib): cast allow_downloading_texture to boolean
2022-07-04 19:11:05 +08:00
graywolf
663d9120b6
feat: sort closet by desc ( #412 )
...
for consistency with skinlib
2022-06-03 20:11:59 +08:00
mochaaP
2452ed06da
chore: new copyright footer options ( #392 )
...
Squashed commit of the following:
commit ea640e77447e5a120f679c0b8f27d048487dd560
Author: Cinnamoroll-Rabbit <101342651+Cinnamoroll-Rabbit@users.noreply.github.com>
Date: Sat Apr 16 23:16:00 2022 +0800
chore: new copyright footer options
2022-04-17 02:17:54 +08:00
Pig Fang
8b3376bf9b
refactor: use facade instead of service container
2022-02-13 12:05:39 +08:00
Pig Fang
7de23b6652
fix WebP compatibility
2022-02-05 22:04:17 +08:00
Pig Fang
11a2c602ee
fix rendering content policy
2021-12-14 23:23:13 +08:00
Pig Fang
efa20f4940
fix test
2021-12-12 18:13:39 +08:00
Pig Fang
faea0126ea
apply php-cs-fixer fixes
2021-12-12 17:59:27 +08:00
Pig Fang
e89b65afdf
fix chart data ( fix #336 )
2021-08-22 19:27:34 +08:00
Pig Fang
6db0a0adeb
change date format of chart in admin panel
2021-08-22 18:14:56 +08:00
Pig Fang
3f7ba49c2c
fix player name rule
2021-08-22 16:45:26 +08:00
Asnxthaony
61ce97ad79
use cached scopes
2021-08-07 13:20:47 +08:00
Pig Fang
baf4921479
new player name rule: allow UTF-8
2021-07-25 13:14:08 +08:00
Pig Fang
073da66623
support toggling dark mode
2021-06-06 18:07:08 +08:00
Pig Fang
7e04f72292
support dark mode UI
2021-06-06 14:27:21 +08:00
Pig Fang
c4e292c877
fix resolving report with non-existing reporter
2021-05-04 18:32:35 +08:00
Pig Fang
b7af1ebf19
fix: check texture size for capes
2021-05-04 18:20:24 +08:00
Pig Fang
6226784b10
apply php-cs-fixer fixes
2021-05-04 18:17:45 +08:00