feat: 忘记密码增设脱敏邮箱二次手动输入一致性核对安全锁
This commit is contained in:
@@ -108,21 +108,28 @@ class PasswordResetController extends Controller
|
||||
], 403);
|
||||
}
|
||||
|
||||
$email = trim((string) $request->input('email', ''));
|
||||
$inputEmail = trim((string) $request->input('email', ''));
|
||||
$username = trim((string) $request->input('username', ''));
|
||||
$ip = $request->ip();
|
||||
|
||||
if ($username !== '') {
|
||||
$user = User::query()->where('username', $username)->first();
|
||||
if (! $user || empty($user->email)) {
|
||||
return response()->json([
|
||||
'status' => 'error',
|
||||
'message' => '找不到绑定了邮箱的账号。',
|
||||
], 422);
|
||||
}
|
||||
$email = $user->email;
|
||||
$user = User::query()->where('username', $username)->first();
|
||||
if (! $user || empty($user->email)) {
|
||||
return response()->json([
|
||||
'status' => 'error',
|
||||
'message' => '找不到绑定了邮箱的账号。',
|
||||
], 422);
|
||||
}
|
||||
|
||||
// 强行双向比对核对(忽略大小写和前后空白)
|
||||
if (strcasecmp($user->email, $inputEmail) !== 0) {
|
||||
return response()->json([
|
||||
'status' => 'error',
|
||||
'message' => '输入的完整邮箱地址与该账号绑定的邮箱不一致,二次确认失败。',
|
||||
], 422);
|
||||
}
|
||||
|
||||
$email = $user->email;
|
||||
|
||||
// 1. IP 级别发信限流:限制单个 IP 每分钟最多请求 2 次
|
||||
$ipKey = 'pw-email:ip:'.$ip;
|
||||
if (RateLimiter::tooManyAttempts($ipKey, 2)) {
|
||||
|
||||
Reference in New Issue
Block a user