mirror of
https://github.com/lkddi/Xboard.git
synced 2026-04-29 23:47:27 +08:00
eat: add reCAPTCHA v3 and Cloudflare Turnstile verification support
- Implement reCAPTCHA v3 with score-based validation - Add Cloudflare Turnstile as captcha alternative - Create reusable CaptchaService for unified validation - Support switching between recaptcha, recaptcha-v3, and turnstile - Maintain backward compatibility with existing configurations
This commit is contained in:
xboard
@@ -19,12 +19,18 @@ class LoginService
|
||||
public function login(string $email, string $password): array
|
||||
{
|
||||
// 检查密码错误限制
|
||||
if ((int)admin_setting('password_limit_enable', true)) {
|
||||
$passwordErrorCount = (int)Cache::get(CacheKey::get('PASSWORD_ERROR_LIMIT', $email), 0);
|
||||
if ($passwordErrorCount >= (int)admin_setting('password_limit_count', 5)) {
|
||||
return [false, [429, __('There are too many password errors, please try again after :minute minutes.', [
|
||||
'minute' => admin_setting('password_limit_expire', 60)
|
||||
])]];
|
||||
if ((int) admin_setting('password_limit_enable', true)) {
|
||||
$passwordErrorCount = (int) Cache::get(CacheKey::get('PASSWORD_ERROR_LIMIT', $email), 0);
|
||||
if ($passwordErrorCount >= (int) admin_setting('password_limit_count', 5)) {
|
||||
return [
|
||||
false,
|
||||
[
|
||||
429,
|
||||
__('There are too many password errors, please try again after :minute minutes.', [
|
||||
'minute' => admin_setting('password_limit_expire', 60)
|
||||
])
|
||||
]
|
||||
];
|
||||
}
|
||||
}
|
||||
|
||||
@@ -35,19 +41,21 @@ class LoginService
|
||||
}
|
||||
|
||||
// 验证密码
|
||||
if (!Helper::multiPasswordVerify(
|
||||
$user->password_algo,
|
||||
$user->password_salt,
|
||||
$password,
|
||||
$user->password)
|
||||
if (
|
||||
!Helper::multiPasswordVerify(
|
||||
$user->password_algo,
|
||||
$user->password_salt,
|
||||
$password,
|
||||
$user->password
|
||||
)
|
||||
) {
|
||||
// 增加密码错误计数
|
||||
if ((int)admin_setting('password_limit_enable', true)) {
|
||||
$passwordErrorCount = (int)Cache::get(CacheKey::get('PASSWORD_ERROR_LIMIT', $email), 0);
|
||||
if ((int) admin_setting('password_limit_enable', true)) {
|
||||
$passwordErrorCount = (int) Cache::get(CacheKey::get('PASSWORD_ERROR_LIMIT', $email), 0);
|
||||
Cache::put(
|
||||
CacheKey::get('PASSWORD_ERROR_LIMIT', $email),
|
||||
(int)$passwordErrorCount + 1,
|
||||
60 * (int)admin_setting('password_limit_expire', 60)
|
||||
(int) $passwordErrorCount + 1,
|
||||
60 * (int) admin_setting('password_limit_expire', 60)
|
||||
);
|
||||
}
|
||||
return [false, [400, __('Incorrect email or password')]];
|
||||
@@ -77,13 +85,13 @@ class LoginService
|
||||
{
|
||||
// 检查重置请求限制
|
||||
$forgetRequestLimitKey = CacheKey::get('FORGET_REQUEST_LIMIT', $email);
|
||||
$forgetRequestLimit = (int)Cache::get($forgetRequestLimitKey);
|
||||
$forgetRequestLimit = (int) Cache::get($forgetRequestLimitKey);
|
||||
if ($forgetRequestLimit >= 3) {
|
||||
return [false, [429, __('Reset failed, Please try again later')]];
|
||||
}
|
||||
|
||||
// 验证邮箱验证码
|
||||
if ((string)Cache::get(CacheKey::get('EMAIL_VERIFY_CODE', $email)) !== (string)$emailCode) {
|
||||
if ((string) Cache::get(CacheKey::get('EMAIL_VERIFY_CODE', $email)) !== (string) $emailCode) {
|
||||
Cache::put($forgetRequestLimitKey, $forgetRequestLimit ? $forgetRequestLimit + 1 : 1, 300);
|
||||
return [false, [400, __('Incorrect email verification code')]];
|
||||
}
|
||||
@@ -98,14 +106,44 @@ class LoginService
|
||||
$user->password = password_hash($password, PASSWORD_DEFAULT);
|
||||
$user->password_algo = NULL;
|
||||
$user->password_salt = NULL;
|
||||
|
||||
|
||||
if (!$user->save()) {
|
||||
return [false, [500, __('Reset failed')]];
|
||||
}
|
||||
|
||||
// 清除邮箱验证码
|
||||
Cache::forget(CacheKey::get('EMAIL_VERIFY_CODE', $email));
|
||||
|
||||
|
||||
return [true, true];
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* 生成临时登录令牌和快速登录URL
|
||||
*
|
||||
* @param User $user 用户对象
|
||||
* @param string $redirect 重定向路径
|
||||
* @return string|null 快速登录URL
|
||||
*/
|
||||
public function generateQuickLoginUrl(User $user, string $redirect = 'dashboard'): ?string
|
||||
{
|
||||
if (!$user || !$user->exists) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$code = Helper::guid();
|
||||
$key = CacheKey::get('TEMP_TOKEN', $code);
|
||||
|
||||
Cache::put($key, $user->id, 60);
|
||||
|
||||
$loginRedirect = '/#/login?verify=' . $code . '&redirect=' . $redirect;
|
||||
|
||||
if (admin_setting('app_url')) {
|
||||
$url = admin_setting('app_url') . $loginRedirect;
|
||||
} else {
|
||||
$url = url($loginRedirect);
|
||||
}
|
||||
|
||||
return $url;
|
||||
}
|
||||
}
|
||||
@@ -19,7 +19,7 @@ class MailLinkService
|
||||
*/
|
||||
public function handleMailLink(string $email, ?string $redirect = null): array
|
||||
{
|
||||
if (!(int)admin_setting('login_with_mail_link_enable')) {
|
||||
if (!(int) admin_setting('login_with_mail_link_enable')) {
|
||||
return [false, [404, null]];
|
||||
}
|
||||
|
||||
@@ -72,28 +72,6 @@ class MailLinkService
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
* 获取快速登录URL
|
||||
*
|
||||
* @param User $user 用户对象
|
||||
* @param string|null $redirect 重定向地址
|
||||
* @return string 登录URL
|
||||
*/
|
||||
public function getQuickLoginUrl(User $user, ?string $redirect = null): string
|
||||
{
|
||||
$code = Helper::guid();
|
||||
$key = CacheKey::get('TEMP_TOKEN', $code);
|
||||
Cache::put($key, $user->id, 60);
|
||||
|
||||
$redirectUrl = '/#/login?verify=' . $code . '&redirect=' . ($redirect ? $redirect : 'dashboard');
|
||||
|
||||
if (admin_setting('app_url')) {
|
||||
return admin_setting('app_url') . $redirectUrl;
|
||||
} else {
|
||||
return url($redirectUrl);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* 处理Token登录
|
||||
*
|
||||
@@ -104,19 +82,19 @@ class MailLinkService
|
||||
{
|
||||
$key = CacheKey::get('TEMP_TOKEN', $token);
|
||||
$userId = Cache::get($key);
|
||||
|
||||
|
||||
if (!$userId) {
|
||||
return null;
|
||||
}
|
||||
|
||||
|
||||
$user = User::find($userId);
|
||||
|
||||
|
||||
if (!$user || $user->banned) {
|
||||
return null;
|
||||
}
|
||||
|
||||
|
||||
Cache::forget($key);
|
||||
|
||||
|
||||
return $userId;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -5,12 +5,12 @@ namespace App\Services\Auth;
|
||||
use App\Models\InviteCode;
|
||||
use App\Models\Plan;
|
||||
use App\Models\User;
|
||||
use App\Services\CaptchaService;
|
||||
use App\Utils\CacheKey;
|
||||
use App\Utils\Dict;
|
||||
use App\Utils\Helper;
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Support\Facades\Cache;
|
||||
use ReCaptcha\ReCaptcha;
|
||||
|
||||
class RegisterService
|
||||
{
|
||||
@@ -23,36 +23,42 @@ class RegisterService
|
||||
public function validateRegister(Request $request): array
|
||||
{
|
||||
// 检查IP注册限制
|
||||
if ((int)admin_setting('register_limit_by_ip_enable', 0)) {
|
||||
if ((int) admin_setting('register_limit_by_ip_enable', 0)) {
|
||||
$registerCountByIP = Cache::get(CacheKey::get('REGISTER_IP_RATE_LIMIT', $request->ip())) ?? 0;
|
||||
if ((int)$registerCountByIP >= (int)admin_setting('register_limit_count', 3)) {
|
||||
return [false, [429, __('Register frequently, please try again after :minute minute', [
|
||||
'minute' => admin_setting('register_limit_expire', 60)
|
||||
])]];
|
||||
if ((int) $registerCountByIP >= (int) admin_setting('register_limit_count', 3)) {
|
||||
return [
|
||||
false,
|
||||
[
|
||||
429,
|
||||
__('Register frequently, please try again after :minute minute', [
|
||||
'minute' => admin_setting('register_limit_expire', 60)
|
||||
])
|
||||
]
|
||||
];
|
||||
}
|
||||
}
|
||||
|
||||
// 检查验证码
|
||||
if ((int)admin_setting('recaptcha_enable', 0)) {
|
||||
$recaptcha = new ReCaptcha(admin_setting('recaptcha_key'));
|
||||
$recaptchaResp = $recaptcha->verify($request->input('recaptcha_data'));
|
||||
if (!$recaptchaResp->isSuccess()) {
|
||||
return [false, [400, __('Invalid code is incorrect')]];
|
||||
}
|
||||
$captchaService = app(CaptchaService::class);
|
||||
[$captchaValid, $captchaError] = $captchaService->verify($request);
|
||||
if (!$captchaValid) {
|
||||
return [false, $captchaError];
|
||||
}
|
||||
|
||||
// 检查邮箱白名单
|
||||
if ((int)admin_setting('email_whitelist_enable', 0)) {
|
||||
if (!Helper::emailSuffixVerify(
|
||||
$request->input('email'),
|
||||
admin_setting('email_whitelist_suffix', Dict::EMAIL_WHITELIST_SUFFIX_DEFAULT))
|
||||
if ((int) admin_setting('email_whitelist_enable', 0)) {
|
||||
if (
|
||||
!Helper::emailSuffixVerify(
|
||||
$request->input('email'),
|
||||
admin_setting('email_whitelist_suffix', Dict::EMAIL_WHITELIST_SUFFIX_DEFAULT)
|
||||
)
|
||||
) {
|
||||
return [false, [400, __('Email suffix is not in the Whitelist')]];
|
||||
}
|
||||
}
|
||||
|
||||
// 检查Gmail限制
|
||||
if ((int)admin_setting('email_gmail_limit_enable', 0)) {
|
||||
if ((int) admin_setting('email_gmail_limit_enable', 0)) {
|
||||
$prefix = explode('@', $request->input('email'))[0];
|
||||
if (strpos($prefix, '.') !== false || strpos($prefix, '+') !== false) {
|
||||
return [false, [400, __('Gmail alias is not supported')]];
|
||||
@@ -60,23 +66,23 @@ class RegisterService
|
||||
}
|
||||
|
||||
// 检查是否关闭注册
|
||||
if ((int)admin_setting('stop_register', 0)) {
|
||||
if ((int) admin_setting('stop_register', 0)) {
|
||||
return [false, [400, __('Registration has closed')]];
|
||||
}
|
||||
|
||||
// 检查邀请码要求
|
||||
if ((int)admin_setting('invite_force', 0)) {
|
||||
if ((int) admin_setting('invite_force', 0)) {
|
||||
if (empty($request->input('invite_code'))) {
|
||||
return [false, [422, __('You must use the invitation code to register')]];
|
||||
}
|
||||
}
|
||||
|
||||
// 检查邮箱验证
|
||||
if ((int)admin_setting('email_verify', 0)) {
|
||||
if ((int) admin_setting('email_verify', 0)) {
|
||||
if (empty($request->input('email_code'))) {
|
||||
return [false, [422, __('Email verification code cannot be empty')]];
|
||||
}
|
||||
if ((string)Cache::get(CacheKey::get('EMAIL_VERIFY_CODE', $request->input('email'))) !== (string)$request->input('email_code')) {
|
||||
if ((string) Cache::get(CacheKey::get('EMAIL_VERIFY_CODE', $request->input('email'))) !== (string) $request->input('email_code')) {
|
||||
return [false, [400, __('Incorrect email verification code')]];
|
||||
}
|
||||
}
|
||||
@@ -109,15 +115,15 @@ class RegisterService
|
||||
->first();
|
||||
|
||||
if (!$inviteCodeModel) {
|
||||
if ((int)admin_setting('invite_force', 0)) {
|
||||
if ((int) admin_setting('invite_force', 0)) {
|
||||
return [false, [400, __('Invalid invitation code')]];
|
||||
}
|
||||
return [true, null];
|
||||
}
|
||||
|
||||
$user->invite_user_id = $inviteCodeModel->user_id ? $inviteCodeModel->user_id : null;
|
||||
|
||||
if (!(int)admin_setting('invite_never_expire', 0)) {
|
||||
|
||||
if (!(int) admin_setting('invite_never_expire', 0)) {
|
||||
$inviteCodeModel->status = true;
|
||||
$inviteCodeModel->save();
|
||||
}
|
||||
@@ -133,7 +139,7 @@ class RegisterService
|
||||
*/
|
||||
public function handleTryOut(User $user): void
|
||||
{
|
||||
if ((int)admin_setting('try_out_plan_id', 0)) {
|
||||
if ((int) admin_setting('try_out_plan_id', 0)) {
|
||||
$plan = Plan::find(admin_setting('try_out_plan_id'));
|
||||
if ($plan) {
|
||||
$user->transfer_enable = $plan->transfer_enable * 1073741824;
|
||||
@@ -186,7 +192,7 @@ class RegisterService
|
||||
}
|
||||
|
||||
// 清除邮箱验证码
|
||||
if ((int)admin_setting('email_verify', 0)) {
|
||||
if ((int) admin_setting('email_verify', 0)) {
|
||||
Cache::forget(CacheKey::get('EMAIL_VERIFY_CODE', $email));
|
||||
}
|
||||
|
||||
@@ -195,15 +201,15 @@ class RegisterService
|
||||
$user->save();
|
||||
|
||||
// 更新IP注册计数
|
||||
if ((int)admin_setting('register_limit_by_ip_enable', 0)) {
|
||||
if ((int) admin_setting('register_limit_by_ip_enable', 0)) {
|
||||
$registerCountByIP = Cache::get(CacheKey::get('REGISTER_IP_RATE_LIMIT', $request->ip())) ?? 0;
|
||||
Cache::put(
|
||||
CacheKey::get('REGISTER_IP_RATE_LIMIT', $request->ip()),
|
||||
(int)$registerCountByIP + 1,
|
||||
(int)admin_setting('register_limit_expire', 60) * 60
|
||||
(int) $registerCountByIP + 1,
|
||||
(int) admin_setting('register_limit_expire', 60) * 60
|
||||
);
|
||||
}
|
||||
|
||||
return [true, $user];
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,112 @@
|
||||
<?php
|
||||
|
||||
namespace App\Services;
|
||||
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Support\Facades\Http;
|
||||
use ReCaptcha\ReCaptcha;
|
||||
|
||||
class CaptchaService
|
||||
{
|
||||
/**
|
||||
* 验证人机验证码
|
||||
*
|
||||
* @param Request $request 请求对象
|
||||
* @return array [是否通过, 错误消息]
|
||||
*/
|
||||
public function verify(Request $request): array
|
||||
{
|
||||
if (!(int) admin_setting('captcha_enable', 0)) {
|
||||
return [true, null];
|
||||
}
|
||||
|
||||
$captchaType = admin_setting('captcha_type', 'recaptcha');
|
||||
|
||||
return match ($captchaType) {
|
||||
'turnstile' => $this->verifyTurnstile($request),
|
||||
'recaptcha-v3' => $this->verifyRecaptchaV3($request),
|
||||
'recaptcha' => $this->verifyRecaptcha($request),
|
||||
default => [false, [400, __('Invalid captcha type')]]
|
||||
};
|
||||
}
|
||||
|
||||
/**
|
||||
* 验证 Cloudflare Turnstile
|
||||
*
|
||||
* @param Request $request
|
||||
* @return array
|
||||
*/
|
||||
private function verifyTurnstile(Request $request): array
|
||||
{
|
||||
$turnstileToken = $request->input('turnstile_token');
|
||||
if (!$turnstileToken) {
|
||||
return [false, [400, __('Invalid code is incorrect')]];
|
||||
}
|
||||
|
||||
$response = Http::post('https://challenges.cloudflare.com/turnstile/v0/siteverify', [
|
||||
'secret' => admin_setting('turnstile_secret_key'),
|
||||
'response' => $turnstileToken,
|
||||
'remoteip' => $request->ip()
|
||||
]);
|
||||
|
||||
$result = $response->json();
|
||||
if (!$result['success']) {
|
||||
return [false, [400, __('Invalid code is incorrect')]];
|
||||
}
|
||||
|
||||
return [true, null];
|
||||
}
|
||||
|
||||
/**
|
||||
* 验证 Google reCAPTCHA v3
|
||||
*
|
||||
* @param Request $request
|
||||
* @return array
|
||||
*/
|
||||
private function verifyRecaptchaV3(Request $request): array
|
||||
{
|
||||
$recaptchaV3Token = $request->input('recaptcha_v3_token');
|
||||
if (!$recaptchaV3Token) {
|
||||
return [false, [400, __('Invalid code is incorrect')]];
|
||||
}
|
||||
|
||||
$recaptcha = new ReCaptcha(admin_setting('recaptcha_v3_secret_key'));
|
||||
$recaptchaResp = $recaptcha->verify($recaptchaV3Token, $request->ip());
|
||||
|
||||
if (!$recaptchaResp->isSuccess()) {
|
||||
return [false, [400, __('Invalid code is incorrect')]];
|
||||
}
|
||||
|
||||
// 检查分数阈值(如果有的话)
|
||||
$score = $recaptchaResp->getScore();
|
||||
$threshold = admin_setting('recaptcha_v3_score_threshold', 0.5);
|
||||
if ($score !== null && $score < $threshold) {
|
||||
return [false, [400, __('Invalid code is incorrect')]];
|
||||
}
|
||||
|
||||
return [true, null];
|
||||
}
|
||||
|
||||
/**
|
||||
* 验证 Google reCAPTCHA v2
|
||||
*
|
||||
* @param Request $request
|
||||
* @return array
|
||||
*/
|
||||
private function verifyRecaptcha(Request $request): array
|
||||
{
|
||||
$recaptchaData = $request->input('recaptcha_data');
|
||||
if (!$recaptchaData) {
|
||||
return [false, [400, __('Invalid code is incorrect')]];
|
||||
}
|
||||
|
||||
$recaptcha = new ReCaptcha(admin_setting('recaptcha_key'));
|
||||
$recaptchaResp = $recaptcha->verify($recaptchaData);
|
||||
|
||||
if (!$recaptchaResp->isSuccess()) {
|
||||
return [false, [400, __('Invalid code is incorrect')]];
|
||||
}
|
||||
|
||||
return [true, null];
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user