Leisuretimedock/blessing-skin-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,402 Commits 10 Branches 89 Tags 24 MiB
7717a1f93f
Commit Graph

69 Commits

Author SHA1 Message Date
shhzhang
3d42aab16d [Security] Dynamic Email Verification & Password Reset Links 
**Problem**
1. **Static Signature Vulnerability**:
   - Email verification links used a static signature algorithm (same link for lifetime), allowing account hijacking if links were leaked.
   - *Worst-case scenario*: Compromised AppKey + leaked link → full-site account under danger.
2. **Overly Long Reset Window**:
   - Password reset links remained valid for 1 hour, enabling attackers to hijack accounts if intercepted.
   - *Worst-case scenario*: Compromised AppKey + leaked link → full-site account account take over.

 **Solution**
- **Email Verification**:
  - Replaced static signatures with **HMAC-SHA256 + timestamp + nonce**.
  - Links are now **one-time-use** and expire immediately after verification.
- **Password Reset**:
  - Reduced validity window from 1h → **5 minutes**.
  - Added rate limiting to prevent brute-force attacks.

 **Impact**
- **Closed Communities**: Critical for real-name systems (e.g., gaming, enterprise).
- **AppKey Leak Mitigation**: Even with leaked AppKey, intercepted links are now useless.

The commit message is translated by Deepseek due to my poor English.
 2026-01-24 23:16:39 +08:00
Steven Qiu
064b0967fc
chore: complete Facade namespaces in use statements 2025-07-02 19:29:19 +08:00
Steven Qiu
761cbb7828
feat: max texture width & texture sanitize (#662) 
* feat: sanitize uploaded file when user upload texture

* feat: limit max texture width to avoid png bomb

* style: apply php-cs-fixer fixes

* chore: set default value for max_texture_width option

* Update skinlib.yml

Co-authored-by: Pig Fang <g-plane@hotmail.com>

---------

Co-authored-by: Pig Fang <g-plane@hotmail.com>
 2025-06-29 16:09:55 +08:00
Pig Fang
7e04f72292
support dark mode UI 2021-06-06 14:27:21 +08:00
Asnxthaony
387fe81a60
feat: OAuth scope (#287) 
Co-authored-by: Pig Fang <g-plane@hotmail.com>
 2021-04-18 15:31:57 +08:00
Pig Fang
311b0690fc
upgrade Laravel to 8 2020-10-14 11:56:34 +08:00
Pig Fang
e9f8be1653
implement RFC 0001 2020-07-02 12:20:05 +08:00
Pig Fang
017db1788b
add migration 2020-06-28 15:57:46 +08:00
Pig Fang
a3ea8e3c62 fix test 2020-06-26 09:21:09 +08:00
Pig Fang
ea26abcc3b add missing migration from laravel/passport 2020-06-26 09:06:45 +08:00
Pig Fang
78c1373960 clean up comments 2020-06-24 15:25:36 +08:00
Pig Fang
ffef98ad2e refactor update 2020-06-24 10:49:53 +08:00
Pig Fang
4d25b2042d convert background image format to WebP 2020-05-30 11:18:13 +08:00
Pig Fang
97705755c5 fix admin can't add private texture 2020-03-14 14:59:52 +08:00
Pig Fang
b66a48181f add migration for lengthening ip field 2020-03-10 14:59:50 +08:00
Pig Fang
0eb7d50d1c upgrade to Laravel 7 2020-03-09 12:29:00 +08:00
Pig Fang
6ead313999 Apply php-cs-fixer 2019-12-14 11:10:37 +08:00
Pig Fang
c6959ebc81 Lengthened ip field to support IPv6 2019-12-14 10:03:11 +08:00
Pig Fang
6aa458c95b New default home page background 2019-11-27 15:06:09 +08:00
Pig Fang
9aaaa20d52 Add update script 2019-09-07 10:37:30 +08:00
Pig Fang
cac1c7eb31 Remove old update scripts 2019-09-07 08:44:58 +08:00
Pig Fang
5d1dce347f Switch to another translations loader 2019-09-06 18:52:34 +08:00
Pig Fang
0105c6b016 Use sync as default queue driver 2019-07-05 23:25:15 +08:00
Pig Fang
4529d1e219 Push notifications to queue (fix #78) 2019-07-05 22:48:23 +08:00
Pig Fang
dffe7fc060 Nothing here 2019-07-05 19:45:30 +08:00
Pig Fang
4df5d867a9 Fix again 2019-07-05 19:30:05 +08:00
Pig Fang
a4fe2243af Fix release-related issue 2019-07-05 18:53:00 +08:00
Pig Fang
1c2220ef94 Fix release-related issue 2019-07-05 18:15:46 +08:00
Pig Fang
b28c8a8bf1 Fix release-related issue 2019-07-05 18:04:30 +08:00
Pig Fang
db5640dc62 Fix for release issue 2019-07-05 17:47:47 +08:00
Pig Fang
7a7cc2ddd9 Notifications 2019-07-03 16:19:13 +08:00
Haowei Wen
d0609af143 Apply fixes from StyleCI 2019-05-19 05:49:44 +00:00
Pig Fang
b119a8de6d Regress likes field of textures table 2019-05-05 11:21:37 +08:00
Pig Fang
7982ae2661 Fix update script 2019-05-03 11:55:23 +08:00
Pig Fang
b4e23ce79f Add message for 4.1.0 update script 2019-05-03 08:32:09 +08:00
Pig Fang
22d49f972d Fix loading commands of laravel/passport 2019-05-01 17:08:55 +08:00
Pig Fang
e2c125648f Support OAuth2 2019-04-25 23:24:24 +08:00
Pig Fang
6507f2699f Support JWT authentication 2019-04-23 10:05:58 +08:00
Pig Fang
ff4fa1eefa Check table before creating 2019-04-19 23:05:58 +08:00
Pig Fang
9a095732fa Build plugin "report-textures" into core 2019-03-30 11:38:30 +08:00
Pig Fang
e71e74cd5b Rework Option 2019-03-23 15:44:16 +08:00
Pig Fang
5235ac23b0 Fix uploading texture 2019-03-16 16:32:49 +08:00
Pig Fang
5915b3ec17 Reimplementing closet 2019-03-14 23:55:49 +08:00
Pig Fang
fc44b09df1 Remove auto update script 2019-03-14 15:22:36 +08:00
Pig Fang
ceac906771 Rename column player_name to name 2019-03-13 13:16:51 +08:00
Pig Fang
cd2711942e Enforce to use tid_skin 2019-03-13 11:24:04 +08:00
Pig Fang
5332589b65 Use Laravel's built-in updater 2019-03-02 23:47:51 +08:00
Pig Fang
3cf19d8656
Apply fixes from StyleCI (#11) 
This pull request applies code style fixes from an analysis carried out by [StyleCI](https://github.styleci.io).

---

For more information, click [here](https://github.styleci.io/analyses/8wKwbZ).
 2019-03-02 22:58:37 +08:00
Pig Fang
1ff8e631fe
Remove settings of preference (#8) 
Resolve #6
 2019-03-02 21:13:17 +08:00
Pig Fang
e528547b89
Laravel 5.8 (#5) 2019-02-27 23:44:50 +08:00