blessing-skin-server

Author	SHA1	Message	Date
shhzhang	3d42aab16d	[Security] Dynamic Email Verification & Password Reset Links Problem 1. Static Signature Vulnerability: - Email verification links used a static signature algorithm (same link for lifetime), allowing account hijacking if links were leaked. - Worst-case scenario: Compromised AppKey + leaked link → full-site account under danger. 2. Overly Long Reset Window: - Password reset links remained valid for 1 hour, enabling attackers to hijack accounts if intercepted. - Worst-case scenario: Compromised AppKey + leaked link → full-site account account take over. Solution - Email Verification: - Replaced static signatures with HMAC-SHA256 + timestamp + nonce. - Links are now one-time-use and expire immediately after verification. - Password Reset: - Reduced validity window from 1h → 5 minutes. - Added rate limiting to prevent brute-force attacks. Impact - Closed Communities: Critical for real-name systems (e.g., gaming, enterprise). - AppKey Leak Mitigation: Even with leaked AppKey, intercepted links are now useless. The commit message is translated by Deepseek due to my poor English.	2026-01-24 23:16:39 +08:00
SANYE-YA	33055ecbf9	fix avatar (refactor needed) (#666 )	2025-08-07 05:08:13 +08:00
Steven Qiu	2e39fbce77	fix: avatar (refactor needed)	2025-07-31 19:59:29 +08:00
Steven Qiu	1b3b020d52	fix: make imagick sanitize result stable	2025-07-27 03:34:35 +08:00
Steven Qiu	33d805ee82	fix: skinlib 2d preview (refactor needed)	2025-07-26 21:38:33 +08:00
Steven Qiu	064b0967fc	chore: complete Facade namespaces in use statements	2025-07-02 19:29:19 +08:00
Steven Qiu	d8547a0a3d	refactor: use Intervention/Image to sanitize textures	2025-07-02 19:12:46 +08:00
Steven Qiu	761cbb7828	feat: max texture width & texture sanitize (#662 ) * feat: sanitize uploaded file when user upload texture * feat: limit max texture width to avoid png bomb * style: apply php-cs-fixer fixes * chore: set default value for max_texture_width option * Update skinlib.yml Co-authored-by: Pig Fang <g-plane@hotmail.com> --------- Co-authored-by: Pig Fang <g-plane@hotmail.com>	2025-06-29 16:09:55 +08:00
Steven Qiu	24ad29ea99	style: apply php-cs-fixer fixes	2025-06-26 21:16:56 +08:00
Steven Qiu	d84eb65d55	Handle null route when request is handled by middleware	2025-06-22 21:50:57 +08:00
Steven Qiu	16474fb5d0	Remove locale cookie for API requests (#660 ) * Do not set locale cookie for API requests https://t.me/blessing_skin/184899 * Remove redundant code	2025-06-22 17:48:48 +08:00
Zephyr Lykos	0a43c5aa67	style: format code	2024-01-12 20:37:11 +08:00
Asnxthaony	169ca11030	BREAKING: get ready for Laravel 10	2023-05-30 14:56:27 +08:00
Asnxthaony	a13879f2df	fix: use unique routes name	2023-05-27 00:36:01 +08:00
Pig Fang	5c4afe8f80	update middlewares	2023-01-29 11:59:30 +08:00
Pig Fang	bebdea9c20	user menu can be controlled by plugins	2023-01-26 09:37:23 +08:00
Pig Fang	eff859a864	update php-cs-fixer config & apply fixes	2023-01-16 23:15:41 +08:00
Pig Fang	64dea61ec9	refactor	2023-01-16 23:06:31 +08:00
Asnxthaony	564672b436	fix: allow logout when user are banned	2022-12-29 12:06:58 +08:00
Asnxthaony	e965a53c18	feat(closet): add sanity check on closet management	2022-07-05 17:09:06 +08:00
Asnxthaony	1a7f76ea69	fix(skinlib): cast `allow_downloading_texture` to boolean	2022-07-04 19:11:05 +08:00
graywolf	663d9120b6	feat: sort closet by desc (#412 ) for consistency with skinlib	2022-06-03 20:11:59 +08:00
mochaaP	2452ed06da	chore: new copyright footer options (#392 ) Squashed commit of the following: commit ea640e77447e5a120f679c0b8f27d048487dd560 Author: Cinnamoroll-Rabbit <101342651+Cinnamoroll-Rabbit@users.noreply.github.com> Date: Sat Apr 16 23:16:00 2022 +0800 chore: new copyright footer options	2022-04-17 02:17:54 +08:00
Pig Fang	7de23b6652	fix WebP compatibility	2022-02-05 22:04:17 +08:00
Pig Fang	11a2c602ee	fix rendering content policy	2021-12-14 23:23:13 +08:00
Pig Fang	efa20f4940	fix test	2021-12-12 18:13:39 +08:00
Pig Fang	e89b65afdf	fix chart data (fix #336 )	2021-08-22 19:27:34 +08:00
Pig Fang	6db0a0adeb	change date format of chart in admin panel	2021-08-22 18:14:56 +08:00
Pig Fang	baf4921479	new player name rule: allow UTF-8	2021-07-25 13:14:08 +08:00
Pig Fang	073da66623	support toggling dark mode	2021-06-06 18:07:08 +08:00
Pig Fang	c4e292c877	fix resolving report with non-existing reporter	2021-05-04 18:32:35 +08:00
Pig Fang	b7af1ebf19	fix: check texture size for capes	2021-05-04 18:20:24 +08:00
Pig Fang	6226784b10	apply php-cs-fixer fixes	2021-05-04 18:17:45 +08:00
Asnxthaony	387fe81a60	feat: OAuth scope (#287 ) Co-authored-by: Pig Fang <g-plane@hotmail.com>	2021-04-18 15:31:57 +08:00
Pig Fang	97057bc432	fix order of loading front-end l10n file	2021-02-18 09:43:23 +08:00
Pig Fang	1db946e372	fix panic on empty notification content	2021-02-17 22:40:02 +08:00
Pig Fang	89bb2b4db9	reject single-layer alex texture	2021-02-13 15:19:12 +08:00
Pig Fang	6f97c1efcc	remove usage of `iconv`	2021-01-30 17:31:43 +08:00
Pig Fang	eae6ff887c	remove "tymon/jwt-auth" package	2021-01-30 16:43:14 +08:00
Pig Fang	66eb658410	generate asset tags at compile time	2020-10-31 10:43:47 +08:00
Pig Fang	cf4ebfeaff	upgrade React to 17	2020-10-26 11:22:44 +08:00
Pig Fang	9bfc0e6076	don't allow to render avatar for non-skin texture	2020-10-18 12:12:28 +08:00
Pig Fang	a5921770f0	use PHP 7.4 syntaxes	2020-10-14 09:48:45 +08:00
Pig Fang	1d82dcb5df	require submitting email when verifying email	2020-08-31 19:48:31 +08:00
Pig Fang	d13e1ba2af	use relative URL for `route` function (fix #222 )	2020-08-21 23:10:14 +08:00
Pig Fang	8f731e9031	parsedown -> commonmark	2020-08-20 10:28:27 +08:00
Pig Fang	d75a7d3ead	fix that private texture can be used as avatar	2020-08-20 10:14:38 +08:00
Pig Fang	963334e5ee	refactor access control	2020-08-20 08:53:43 +08:00
Pig Fang	5b738ffe6f	refactor SkinlibController	2020-08-20 08:48:53 +08:00
Pig Fang	fe1a03fd8f	tiny tweak	2020-08-19 18:02:25 +08:00

1 2 3 4 5 ...

715 Commits