Leisuretimedock/blessing-skin-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,402 Commits 10 Branches 89 Tags 24 MiB
7717a1f93f
Commit Graph

108 Commits

Author SHA1 Message Date
shhzhang
3d42aab16d [Security] Dynamic Email Verification & Password Reset Links 
**Problem**
1. **Static Signature Vulnerability**:
   - Email verification links used a static signature algorithm (same link for lifetime), allowing account hijacking if links were leaked.
   - *Worst-case scenario*: Compromised AppKey + leaked link → full-site account under danger.
2. **Overly Long Reset Window**:
   - Password reset links remained valid for 1 hour, enabling attackers to hijack accounts if intercepted.
   - *Worst-case scenario*: Compromised AppKey + leaked link → full-site account account take over.

 **Solution**
- **Email Verification**:
  - Replaced static signatures with **HMAC-SHA256 + timestamp + nonce**.
  - Links are now **one-time-use** and expire immediately after verification.
- **Password Reset**:
  - Reduced validity window from 1h → **5 minutes**.
  - Added rate limiting to prevent brute-force attacks.

 **Impact**
- **Closed Communities**: Critical for real-name systems (e.g., gaming, enterprise).
- **AppKey Leak Mitigation**: Even with leaked AppKey, intercepted links are now useless.

The commit message is translated by Deepseek due to my poor English.
 2026-01-24 23:16:39 +08:00
Steven Qiu
064b0967fc
chore: complete Facade namespaces in use statements 2025-07-02 19:29:19 +08:00
Steven Qiu
24ad29ea99
style: apply php-cs-fixer fixes 2025-06-26 21:16:56 +08:00
Asnxthaony
169ca11030
BREAKING: get ready for Laravel 10 2023-05-30 14:56:27 +08:00
Pig Fang
eae6ff887c
remove "tymon/jwt-auth" package 2021-01-30 16:43:14 +08:00
Pig Fang
1d82dcb5df
require submitting email when verifying email 2020-08-31 19:48:31 +08:00
Pig Fang
ef7dfd2a71 extract "disable-registration" as plugin 2020-06-19 19:05:51 +08:00
Pig Fang
aeb8a0800c extract oauth client as plugin 2020-06-07 23:38:08 +08:00
Pig Fang
1e85794256 add UI rows for auth pages 2020-06-07 18:54:52 +08:00
Pig Fang
d40bc66438 add more events and filters for AuthController 2020-06-02 10:49:06 +08:00
Pig Fang
0acfa1174b refactor 2020-05-31 16:37:09 +08:00
Pig Fang
63556cabae tiny tweak 2020-05-08 16:21:40 +08:00
Pig Fang
0f45600e21 add filters for login and registration 2020-04-06 11:13:56 +08:00
Pig Fang
b7ac9bbfa1 add signature check for visiting "reset" page 2020-03-30 10:01:37 +08:00
Pig Fang
1c97734bf6 fix email url 2020-03-29 09:53:24 +08:00
Pig Fang
5d9bb28281 attempt to fix "invalid signature" issue 2020-03-28 22:36:27 +08:00
Pig Fang
0eb7d50d1c upgrade to Laravel 7 2020-03-09 12:29:00 +08:00
Pig Fang
9d624fd299 add filters for retrieving ip 2020-03-02 15:02:39 +08:00
Pig Fang
f46737c8e3 remove "CheckPlayerExists" event in some places 2020-01-12 12:09:58 +08:00
Pig Fang
cf497ad38c Change method of retrieving IP 2019-12-24 23:59:25 +08:00
Pig Fang
2b827cf651 Add more events for authentication 2019-12-24 17:09:30 +08:00
Pig Fang
85d0104362 Allow char "§" for player name & Refactor 2019-12-22 11:50:39 +08:00
Pig Fang
9cc83dad30 Remove restriction of texture name and nickname 2019-12-22 10:46:10 +08:00
Pig Fang
e21fb0fa31 Inline some helper functions 2019-12-21 15:50:29 +08:00
Pig Fang
25f9eb7f22 Mark verified for users from external services 2019-12-15 17:58:38 +08:00
Pig Fang
91fbb42431 Add OAuth client 2019-12-15 11:19:10 +08:00
Pig Fang
6ead313999 Apply php-cs-fixer 2019-12-14 11:10:37 +08:00
Pig Fang
3b1866ffba Blade -> Twig 2019-09-18 23:06:48 +08:00
Pig Fang
f9f2796529 Remove unused code 2019-09-07 11:15:23 +08:00
Pig Fang
98522a5cce
Apply fixes from StyleCI (#96) 
[ci skip] [skip ci]
 2019-09-07 11:00:35 +08:00
Pig Fang
1d0ae52c7b Switch to another captcha library 2019-09-05 12:23:46 +08:00
Pig Fang
3264e376cb Simplify importing Auth 2019-09-03 18:44:21 +08:00
Pig Fang
63ac1c11dd Revert 2019-08-24 10:22:26 +08:00
Pig Fang
4c51924940 Resolve User class from service container 2019-08-04 10:56:15 +08:00
Pig Fang
3f4837bb35 Refactor user model 2019-07-30 15:12:31 +08:00
Pig Fang
718c7a61a5 Fix redirecting without URL query string after logged in 2019-07-12 15:53:49 +08:00
Pig Fang
672e80991a Simplify code 2019-06-04 22:22:49 +08:00
Haowei Wen
d0609af143 Apply fixes from StyleCI 2019-05-19 05:49:44 +00:00
Pig Fang
1a98e7937d Return empty string when JWT auth failed 2019-04-26 18:58:12 +08:00
Pig Fang
1ae0329083 Rename auth guard 2019-04-25 13:29:43 +08:00
Pig Fang
d2ad6107d1 Refactor middlewares 2019-04-25 13:01:39 +08:00
Pig Fang
6d03e47526 Nomalize JSON response structure 2019-04-23 19:14:41 +08:00
Pig Fang
b70004ec0f Add JWT refreshing 2019-04-23 12:45:06 +08:00
Pig Fang
0486ddc5a1 Normalize JSON response structure 2019-04-23 11:47:45 +08:00
Pig Fang
6507f2699f Support JWT authentication 2019-04-23 10:05:58 +08:00
Pig Fang
8eb174a6dc
Apply fixes from StyleCI (#35) 2019-04-19 19:36:36 +08:00
Pig Fang
aa30d5a41e Add tests for captcha 2019-04-04 11:04:13 +08:00
Pig Fang
4897656425 Fix passing extra view info 2019-03-31 16:07:36 +08:00
Pig Fang
c01e362ae0 Fix validating captcha 2019-03-27 11:11:09 +08:00
Pig Fang
64658fd9f2 Enable reCAPTCHA on "forgot" page 2019-03-27 11:07:04 +08:00