Leisuretimedock/blessing-skin-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Web application brings your custom skins back in offline Minecraft servers.
1 Commit 10 Branches 89 Tags 24 MiB
PHP 53%
TypeScript 40.7%
Twig 5.3%
Dockerfile 0.3%
CSS 0.3%
Other 0.3%
5ae64f5a39
Go to file
Gerrit User 1039237 5ae64f5a39 Create change 
GitHub Pull Request: https://github.com/bs-community/blessing-skin-server/pull/676

修复邮箱验证链接安全问题

@shhzhang 发现当前邮箱验证链接存在以下安全问题:

1. 验证链接永不过期
2. 验证链接仅对用户ID进行了签名

其中问题2比较严重,如果用户在收到验证链接后故意不完成验证,又把邮箱改成其他任意邮箱,之前收到的验证链接仍然能继续使用,从而可以绑定任意邮箱。

#675 的修复似乎仅在签名中增加了时间戳,只解决了问题1,且修复方式较为复杂,本 PR 使用 `temporarySignedRoute` 进行修复。

Patch-set: 1
Change-id: I3a2f498bf63e8a8de2437f8214ebe2f70fbe8a84
Subject: fix: update tests for email verification
Branch: refs/heads/dev
Status: new
Topic: 
Commit: 5b482f2468
Tag: autogenerated:gerrit:newPatchSet
Groups: 5b482f2468
Private: false
Work-in-progress: false
2026-02-01 09:52:12 +00:00