修复认证与基础安全链路

app/Http/Controllers/AuthController.php

@@ -20,6 +20,9 @@ use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Hash;
 use Illuminate\Support\Facades\Redis;
 
+/**
+ * 类功能：处理聊天室前台登录、自动注册与退出登录。
+ */
 class AuthController extends Controller
 {
     /**
@@ -61,7 +64,7 @@ class AuthController extends Controller
                     }
                 }
 
-                $this->performLogin($user, $ip);
+                $this->performLogin($user, $ip, $request);
 
                 return response()->json(['status' => 'success', 'message' => '登录成功']);
             }
@@ -83,7 +86,7 @@ class AuthController extends Controller
                     }
                 }
 
-                $this->performLogin($user, $ip);
+                $this->performLogin($user, $ip, $request);
 
                 return response()->json(['status' => 'success', 'message' => '登录成功，且安全策略已自动升级']);
             }
@@ -139,7 +142,7 @@ class AuthController extends Controller
             'inviter_id' => $inviterId, // 记录邀请人
         ]);
 
-        $this->performLogin($newUser, $ip);
+        $this->performLogin($newUser, $ip, $request);
 
         // 如果是通过邀请注册的，响应成功后建议清除 Cookie，防止污染后续注册
         if ($inviterId) {
@@ -152,9 +155,11 @@ class AuthController extends Controller
     /**
      * 执行实际的登录操作并记录时间、IP 等。
      */
-    private function performLogin(User $user, string $ip): void
+    private function performLogin(User $user, string $ip, Request $request): void
     {
         Auth::login($user);
+        // 登录成功后立即轮换 session id，阻断会话固定攻击。
+        $request->session()->regenerate();
 
         // 递增访问次数
         $user->increment('visit_num');