修复认证与基础安全链路

2026-04-19 14:42:42 +08:00
parent bd97ed0b73
commit 5ce83a769d
13 changed files with 636 additions and 55 deletions
@@ -16,6 +16,7 @@ namespace Tests\Feature\Feature;
 use App\Models\User;
 use Illuminate\Foundation\Testing\RefreshDatabase;
 use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Facades\RateLimiter;
 use Illuminate\Support\Facades\Validator;
 use Tests\TestCase;

@@ -112,4 +113,37 @@ class AdminAuthControllerTest extends TestCase

        $response->assertRedirect(route('admin.dashboard'));
    }
+
+    /**
+     * 测试隐藏后台登录入口会在连续失败后触发服务端限流。
+     */
+    public function test_hidden_admin_login_route_is_rate_limited_after_repeated_failures(): void
+    {
+        RateLimiter::clear('admin-hidden-login|site-owner|127.0.0.1');
+
+        User::factory()->create([
+            'id' => 1,
+            'username' => 'site-owner',
+            'password' => Hash::make('correct-password'),
+        ]);
+
+        for ($attempt = 1; $attempt <= 5; $attempt++) {
+            $response = $this->from('/lkddi')->post('/lkddi', [
+                'username' => 'site-owner',
+                'password' => 'wrong-password',
+                'captcha' => '1234',
+            ]);
+
+            $response->assertRedirect('/lkddi');
+        }
+
+        $rateLimitedResponse = $this->from('/lkddi')->post('/lkddi', [
+            'username' => 'site-owner',
+            'password' => 'wrong-password',
+            'captcha' => '1234',
+        ]);
+
+        $rateLimitedResponse->assertStatus(429);
+        $rateLimitedResponse->assertSessionHasErrors('username');
+    }
 }