Leisuretimedock/blessing-skin-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,402 Commits 10 Branches 89 Tags 24 MiB
7717a1f93f
Commit Graph

93 Commits

Author SHA1 Message Date
shhzhang
3d42aab16d [Security] Dynamic Email Verification & Password Reset Links 
**Problem**
1. **Static Signature Vulnerability**:
   - Email verification links used a static signature algorithm (same link for lifetime), allowing account hijacking if links were leaked.
   - *Worst-case scenario*: Compromised AppKey + leaked link → full-site account under danger.
2. **Overly Long Reset Window**:
   - Password reset links remained valid for 1 hour, enabling attackers to hijack accounts if intercepted.
   - *Worst-case scenario*: Compromised AppKey + leaked link → full-site account account take over.

 **Solution**
- **Email Verification**:
  - Replaced static signatures with **HMAC-SHA256 + timestamp + nonce**.
  - Links are now **one-time-use** and expire immediately after verification.
- **Password Reset**:
  - Reduced validity window from 1h → **5 minutes**.
  - Added rate limiting to prevent brute-force attacks.

 **Impact**
- **Closed Communities**: Critical for real-name systems (e.g., gaming, enterprise).
- **AppKey Leak Mitigation**: Even with leaked AppKey, intercepted links are now useless.

The commit message is translated by Deepseek due to my poor English.
 2026-01-24 23:16:39 +08:00
Steven Qiu
064b0967fc
chore: complete Facade namespaces in use statements 2025-07-02 19:29:19 +08:00
Asnxthaony
169ca11030
BREAKING: get ready for Laravel 10 2023-05-30 14:56:27 +08:00
Pig Fang
073da66623
support toggling dark mode 2021-06-06 18:07:08 +08:00
Pig Fang
1d82dcb5df
require submitting email when verifying email 2020-08-31 19:48:31 +08:00
Pig Fang
8f731e9031
parsedown -> commonmark 2020-08-20 10:28:27 +08:00
Pig Fang
d75a7d3ead
fix that private texture can be used as avatar 2020-08-20 10:14:38 +08:00
Pig Fang
94a28806e1 refactor 2020-06-22 10:17:08 +08:00
Pig Fang
d018f207f3 remove unnecessary SQL queries 2020-06-11 15:34:18 +08:00
Pig Fang
7ae9a05f0c extract "single-player" function as plugin 2020-06-03 14:47:44 +08:00
Pig Fang
a454f526ba add more events and filters for UserController 2020-06-01 17:29:24 +08:00
Pig Fang
cf95b3a345 simplify sign calculation 2020-06-01 16:59:42 +08:00
Pig Fang
d7f92bf3b2 tweak user API 2020-06-01 09:07:26 +08:00
Pig Fang
0acfa1174b refactor 2020-05-31 16:37:09 +08:00
Pig Fang
5e051eadfe refactor 2020-05-08 23:16:13 +08:00
Pig Fang
1c97734bf6 fix email url 2020-03-29 09:53:24 +08:00
Pig Fang
5d9bb28281 attempt to fix "invalid signature" issue 2020-03-28 22:36:27 +08:00
Steven Qiu
33c6f00da6
send less verification emails (#138) 2020-02-27 17:45:07 +08:00
Pig Fang
ca7db2585f rewrite "EmailVerification" UI widget 2020-02-12 10:02:15 +08:00
Pig Fang
1d87171808 rewrite user dashboard with React 2020-01-31 15:58:37 +08:00
Pig Fang
b816eb1c06 simplify 2020-01-12 11:47:36 +08:00
Pig Fang
8703495f8f refactor 2019-12-31 22:39:33 +08:00
Pig Fang
1829f1dab5 App\Services\Rejection -> Blessing\Rejection 2019-12-31 18:41:16 +08:00
Pig Fang
d40726a718 App\Services\Filter -> Blessing\Filter 2019-12-29 11:49:31 +08:00
Pig Fang
facd92356c Simplify code 2019-12-25 15:50:34 +08:00
Pig Fang
9eae104402 Invoke Parsedown directly 2019-12-25 15:48:34 +08:00
Pig Fang
9cc83dad30 Remove restriction of texture name and nickname 2019-12-22 10:46:10 +08:00
Pig Fang
e21fb0fa31 Inline some helper functions 2019-12-21 15:50:29 +08:00
Pig Fang
6ead313999 Apply php-cs-fixer 2019-12-14 11:10:37 +08:00
Pig Fang
96fd445415 Add grid for user dashboard 2019-12-13 19:29:57 +08:00
Pig Fang
7950132954 Add grid for user profile page 2019-12-13 18:53:47 +08:00
Pig Fang
56bd71c063 Refactor user profile page 
to be static
 2019-12-13 15:47:07 +08:00
Pig Fang
9403ae356d Blade -> Twig (wip) 2019-09-17 23:10:44 +08:00
Pig Fang
98522a5cce
Apply fixes from StyleCI (#96) 
[ci skip] [skip ci]
 2019-09-07 11:00:35 +08:00
Pig Fang
402eec0b3c Simplify syntax 2019-09-04 23:16:49 +08:00
Pig Fang
3fc176e07a Add more events and filters 2019-09-04 19:31:44 +08:00
Pig Fang
3264e376cb Simplify importing Auth 2019-09-03 18:44:21 +08:00
Pig Fang
63ac1c11dd Revert 2019-08-24 10:22:26 +08:00
Pig Fang
bf778e9405 Tweak 2019-08-16 17:09:40 +08:00
Pig Fang
4c51924940 Resolve User class from service container 2019-08-04 10:56:15 +08:00
Pig Fang
73beea6af4 Tweak 2019-07-30 14:37:31 +08:00
Pig Fang
67bcfc65a5 Refactor user model 2019-07-30 14:29:02 +08:00
Pig Fang
7a7cc2ddd9 Notifications 2019-07-03 16:19:13 +08:00
Pig Fang
fd70a7182f Add API for fetch current user 2019-04-27 23:10:21 +08:00
Pig Fang
6d03e47526 Nomalize JSON response structure 2019-04-23 19:14:41 +08:00
Pig Fang
0486ddc5a1 Normalize JSON response structure 2019-04-23 11:47:45 +08:00
Pig Fang
8eb174a6dc
Apply fixes from StyleCI (#35) 2019-04-19 19:36:36 +08:00
Pig Fang
d9efa1d5ff Declare sharable user instance in master view 2019-03-31 09:08:31 +08:00
Pig Fang
f6040707e1 Generate extra data in controllers 2019-03-23 19:52:14 +08:00
Pig Fang
2267a2cadb Remove UserRepository 2019-03-23 11:06:36 +08:00