feat: 忘记密码增设脱敏邮箱二次手动输入一致性核对安全锁

This commit is contained in:
pllx
2026-07-01 11:13:46 +08:00
parent b098639db5
commit 94236e25eb
5 changed files with 76 additions and 24 deletions
@@ -108,21 +108,28 @@ class PasswordResetController extends Controller
], 403);
}
$email = trim((string) $request->input('email', ''));
$inputEmail = trim((string) $request->input('email', ''));
$username = trim((string) $request->input('username', ''));
$ip = $request->ip();
if ($username !== '') {
$user = User::query()->where('username', $username)->first();
if (! $user || empty($user->email)) {
return response()->json([
'status' => 'error',
'message' => '找不到绑定了邮箱的账号。',
], 422);
}
$email = $user->email;
$user = User::query()->where('username', $username)->first();
if (! $user || empty($user->email)) {
return response()->json([
'status' => 'error',
'message' => '找不到绑定了邮箱的账号。',
], 422);
}
// 强行双向比对核对(忽略大小写和前后空白)
if (strcasecmp($user->email, $inputEmail) !== 0) {
return response()->json([
'status' => 'error',
'message' => '输入的完整邮箱地址与该账号绑定的邮箱不一致,二次确认失败。',
], 422);
}
$email = $user->email;
// 1. IP 级别发信限流:限制单个 IP 每分钟最多请求 2 次
$ipKey = 'pw-email:ip:'.$ip;
if (RateLimiter::tooManyAttempts($ipKey, 2)) {
@@ -31,8 +31,8 @@ class SendPasswordResetLinkRequest extends FormRequest
public function rules(): array
{
return [
'email' => ['required_without:username', 'nullable', 'email', 'max:255'],
'username' => ['required_without:email', 'nullable', 'string', 'max:100'],
'email' => ['required', 'email', 'max:255'],
'username' => ['required', 'string', 'max:100'],
];
}
@@ -44,9 +44,10 @@ class SendPasswordResetLinkRequest extends FormRequest
public function messages(): array
{
return [
'email.required' => '请输入绑定邮箱地址以进行二次确认。',
'email.email' => '邮箱格式不正确,请重新输入。',
'email.max' => '邮箱长度不能超过 255 个字符。',
'email.required_without' => '请输入绑定邮箱或用户昵称。',
'username.required' => '用户昵称参数缺失。',
];
}
}