Leisuretimedock/blessing-skin-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Web application brings your custom skins back in offline Minecraft servers.
3,398 Commits 10 Branches 89 Tags 24 MiB
PHP 53%
TypeScript 40.7%
Twig 5.3%
Dockerfile 0.3%
CSS 0.3%
Other 0.3%
3d42aab16d
Go to file
shhzhang 3d42aab16d [Security] Dynamic Email Verification & Password Reset Links 
**Problem**
1. **Static Signature Vulnerability**:
   - Email verification links used a static signature algorithm (same link for lifetime), allowing account hijacking if links were leaked.
   - *Worst-case scenario*: Compromised AppKey + leaked link → full-site account under danger.
2. **Overly Long Reset Window**:
   - Password reset links remained valid for 1 hour, enabling attackers to hijack accounts if intercepted.
   - *Worst-case scenario*: Compromised AppKey + leaked link → full-site account account take over.

 **Solution**
- **Email Verification**:
  - Replaced static signatures with **HMAC-SHA256 + timestamp + nonce**.
  - Links are now **one-time-use** and expire immediately after verification.
- **Password Reset**:
  - Reduced validity window from 1h → **5 minutes**.
  - Added rate limiting to prevent brute-force attacks.

 **Impact**
- **Closed Communities**: Critical for real-name systems (e.g., gaming, enterprise).
- **AppKey Leak Mitigation**: Even with leaked AppKey, intercepted links are now useless.

The commit message is translated by Deepseek due to my poor English.
2026-01-24 23:16:39 +08:00
.devcontainer Fix dev container 2023-02-09 19:48:30 +00:00
.github chore: use imagick for Intervention\Image 2025-07-25 17:13:54 +08:00
.husky add pre-commit hook to format code 2022-02-12 17:37:16 +08:00
.vscode chore: remove redundant VSCode launch profile 2025-06-29 16:50:14 +08:00
app [Security] Dynamic Email Verification & Password Reset Links 2026-01-24 23:16:39 +08:00
bootstrap fix: check if imagick installed 2025-07-25 17:43:53 +08:00
config chore: use imagick for Intervention\Image 2025-07-25 17:13:54 +08:00
database [Security] Dynamic Email Verification & Password Reset Links 2026-01-24 23:16:39 +08:00
plugins Add an empty "plugins" directory 2018-06-28 13:31:43 +08:00
public upgrade Laravel to 8 2020-10-14 11:56:34 +08:00
resources feat: max texture width & texture sanitize (#662) 2025-06-29 16:09:55 +08:00
routes [Security] Dynamic Email Verification & Password Reset Links 2026-01-24 23:16:39 +08:00
storage display 3D avatar when applying texture to player 2020-01-12 09:57:55 +08:00
tests chore: complete Facade namespaces in use statements 2025-07-02 19:29:19 +08:00
tools BREAKING: increase PHP version requirement to 8.1.0 2023-05-30 16:43:57 +08:00
.dockerignore remove meta.js file 2023-01-25 12:01:29 +08:00
.editorconfig add Docker (Apache) 2020-05-03 15:41:06 +08:00
.env.example generate asset tags at compile time 2020-10-31 10:43:47 +08:00
.env.testing fix ci 2023-05-30 17:42:45 +08:00
.eslintignore re-enable eslint 2020-07-13 11:25:40 +08:00
.eslintrc.yml fix possible React Hooks issues 2022-02-13 12:09:08 +08:00
.gitignore chore: no .DS_Store [skip ci] 2025-07-02 19:29:19 +08:00
.gitpod.yml Revert "chore(gitpod): private port by default" 2022-07-11 21:05:33 +00:00
.php-cs-fixer.dist.php update php-cs-fixer config & apply fixes 2023-01-16 23:15:41 +08:00
artisan Fix artisan 2019-12-29 19:00:52 +08:00
composer.json chore: use imagick for Intervention\Image 2025-07-25 17:13:54 +08:00
composer.lock chore: update deps 2025-01-18 16:44:33 +08:00
crowdin.yml clean up 2020-03-12 11:27:41 +08:00
Dockerfile feat: re-add docker build support (#395) 2022-04-17 02:23:48 +08:00
index.html Put an HTML at root for guiding. 2019-09-12 19:17:54 +08:00
LICENSE meta: update name 2020-04-26 11:01:07 +08:00
package.json chore: update deps 2025-01-18 16:44:33 +08:00
phpunit.xml fix ci 2023-05-30 17:42:45 +08:00
postcss.config.js tweak CSS minification 2020-11-04 11:34:36 +08:00
README-zh.md chore: update README 2025-07-25 17:39:02 +08:00
README.md chore: update README 2025-07-25 17:39:02 +08:00
server.php Apply fixes from StyleCI (#16) 2019-03-12 17:21:29 +08:00
tsconfig.build.json use React 17 new JSX runtime 2021-01-02 16:38:18 +08:00
tsconfig.dev.json use React 17 new JSX runtime 2021-01-02 16:38:18 +08:00
tsconfig.eslint.json fix: remove gitpod config from tsconfig 2022-06-17 14:03:20 +08:00
tsconfig.json fix: remove gitpod config from tsconfig 2022-06-17 14:03:20 +08:00
webpack.config.ts feat: generate source maps for production 2023-05-27 00:39:09 +08:00
yarn.lock chore: update frontend deps 2024-01-12 20:31:53 +08:00

README.md

GitHub Workflow Status Codecov GitHub release (latest SemVer including pre-releases) GitHub Discord

Puzzled by losing your custom skins in Minecraft servers runing in offline mode? Now you can easily get them back with the help of Blessing Skin!

Blessing Skin is a web application where you can upload, manage and share your custom skins & capes! Unlike modifying a resource pack, everyone in the game will see the different skins of each other (of course they should register at the same website too).

Blessing Skin is an open-source project written in PHP, which means you can deploy it freely on your own web server!

Features

  • A fully functional skin hosting service
  • Multiple player names can be owned by one user on the website
  • Share your skins and capes online with skin library!
  • Easy-to-use
    • Visual page for user/player/texture management
    • Detailed option pages
    • Many tweaks for a better UI/UX
  • Security
    • Support many secure password hash algorithms
    • Email verification for registration
    • Score system for preventing evil requests
  • Incredibly extensible
    • Plenty of plugins available
    • Integration with Authme/Discuz (available as plugin)
    • Support custom Yggdrasil API authentication (available as plugin)

Requirements

Blessing Skin has only a few system requirements. In most cases, these PHP extensions are already enabled.

  • Web server with URL rewriting enabled (Nginx or Apache)
  • PHP >= 8.1.0
  • PHP Extensions
    • OpenSSL >= 1.1.1 (TLS 1.3)
    • PDO
    • Mbstring
    • Tokenizer
    • GD
    • XML
    • Ctype
    • JSON
    • fileinfo
    • zip
    • Imagick

Quick Install

Please read Installation Guide.

Plugin System

Blessing Skin provides an elegant and powerful plugin system, and you can attach plenty of functions and customization to your site via installing plugins.

Supporting Blessing Skin

Welcome to sponsoring Blessing Skin if this software is useful for you!

Currently you can sponsor us via 爱发电.

Sponsors


gao_cai_sheng
K_LazyCat
伊南
家乐
黄金鞘翅的郡主

睡觉塞牙

Backers


飒爽师叔
皮皮帕
黄金鞘翅的郡主
♂sudo rm -rf /*[幼稚鬼]

Build From Source

Please refer to Manual Build.

Internationalization

Blessing Skin supports multiple languages, while currently supporting English, Simplified Chinese and Spanish.

If you are willing to contribute your translation, welcome to join our Crowdin project.

Report Bugs

Read FAQ and double check if your situation doesn't suit any case mentioned there before reporting.

When reporting a problem, please attach your log file (located at storage/logs/laravel.log) and the information of your server where the error occured on. You should also read this guide before reporting a problem.

Related Links

Copyright & License

MIT License

Copyright (c) 2016-present The Blessing Skin Team