Leisuretimedock/blessing-skin-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3d42aab16d
blessing-skin-server/app/Http/Controllers
History
shhzhang 3d42aab16d [Security] Dynamic Email Verification & Password Reset Links 
**Problem**
1. **Static Signature Vulnerability**:
   - Email verification links used a static signature algorithm (same link for lifetime), allowing account hijacking if links were leaked.
   - *Worst-case scenario*: Compromised AppKey + leaked link → full-site account under danger.
2. **Overly Long Reset Window**:
   - Password reset links remained valid for 1 hour, enabling attackers to hijack accounts if intercepted.
   - *Worst-case scenario*: Compromised AppKey + leaked link → full-site account account take over.

 **Solution**
- **Email Verification**:
  - Replaced static signatures with **HMAC-SHA256 + timestamp + nonce**.
  - Links are now **one-time-use** and expire immediately after verification.
- **Password Reset**:
  - Reduced validity window from 1h → **5 minutes**.
  - Added rate limiting to prevent brute-force attacks.

 **Impact**
- **Closed Communities**: Critical for real-name systems (e.g., gaming, enterprise).
- **AppKey Leak Mitigation**: Even with leaked AppKey, intercepted links are now useless.

The commit message is translated by Deepseek due to my poor English.
2026-01-24 23:16:39 +08:00
..
AdminController.php style: apply php-cs-fixer fixes 2025-06-26 21:16:56 +08:00
AuthController.php [Security] Dynamic Email Verification & Password Reset Links 2026-01-24 23:16:39 +08:00
ClosetController.php chore: complete Facade namespaces in use statements 2025-07-02 19:29:19 +08:00
ClosetManagementController.php feat(closet): add sanity check on closet management 2022-07-05 17:09:06 +08:00
Controller.php Apply php-cs-fixer 2019-12-14 11:10:37 +08:00
HomeController.php chore: new copyright footer options (#392) 2022-04-17 02:17:54 +08:00
MarketController.php allow l10n of plugins market registry 2020-04-07 16:09:30 +08:00
NotificationsController.php fix test 2021-12-12 18:13:39 +08:00
OptionsController.php feat: max texture width & texture sanitize (#662) 2025-06-29 16:09:55 +08:00
PlayerController.php chore: complete Facade namespaces in use statements 2025-07-02 19:29:19 +08:00
PlayersManagementController.php style: apply php-cs-fixer fixes 2025-06-26 21:16:56 +08:00
PluginController.php parsedown -> commonmark 2020-08-20 10:28:27 +08:00
ReportController.php style: apply php-cs-fixer fixes 2025-06-26 21:16:56 +08:00
SetupController.php style: apply php-cs-fixer fixes 2025-06-26 21:16:56 +08:00
SkinlibController.php fix: make imagick sanitize result stable 2025-07-27 03:34:35 +08:00
TextureController.php fix avatar (refactor needed) (#666) 2025-08-07 05:08:13 +08:00
TranslationsController.php style: apply php-cs-fixer fixes 2025-06-26 21:16:56 +08:00
UpdateController.php apply php-cs-fixer fixes 2021-05-04 18:17:45 +08:00
UserController.php [Security] Dynamic Email Verification & Password Reset Links 2026-01-24 23:16:39 +08:00
UsersManagementController.php BREAKING: get ready for Laravel 10 2023-05-30 14:56:27 +08:00