feat: 忘记密码增设脱敏邮箱二次手动输入一致性核对安全锁
This commit is contained in:
@@ -131,7 +131,31 @@ class PasswordResetRateLimitTest extends TestCase
|
||||
}
|
||||
|
||||
/**
|
||||
* 测试发送链接的双层安全控频防御 (防止疯狂邮件轰炸他人)
|
||||
* 测试当用户输入的邮箱地址与绑定的真实邮箱不匹配时,二次核验拦截报错
|
||||
*/
|
||||
public function test_store_link_fails_when_masked_email_mismatch(): void
|
||||
{
|
||||
Sysparam::updateOrCreate(['alias' => 'smtp_enabled'], ['body' => '1']);
|
||||
|
||||
User::factory()->create([
|
||||
'username' => 'mismatch_user',
|
||||
'email' => 'real.mail@example.com',
|
||||
]);
|
||||
|
||||
$response = $this->postJson(route('password.email'), [
|
||||
'username' => 'mismatch_user',
|
||||
'email' => 'wrong.mail@example.com', // 错误的手输邮箱
|
||||
]);
|
||||
|
||||
$response->assertStatus(422);
|
||||
$response->assertJson([
|
||||
'status' => 'error',
|
||||
'message' => '输入的完整邮箱地址与该账号绑定的邮箱不一致,二次确认失败。',
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
* 测试发送链接的双层安全控频防御 (防止发信轰炸他人)
|
||||
*/
|
||||
public function test_store_link_prevents_email_bombing(): void
|
||||
{
|
||||
@@ -146,14 +170,16 @@ class PasswordResetRateLimitTest extends TestCase
|
||||
$targetKey = 'pw-email:target:'.md5($email);
|
||||
RateLimiter::clear($targetKey);
|
||||
|
||||
// 模拟第一次发送成功
|
||||
// 模拟第一次发送
|
||||
$response1 = $this->postJson(route('password.email'), [
|
||||
'username' => 'bomb_user',
|
||||
'email' => 'bomb.target@example.com',
|
||||
]);
|
||||
|
||||
// 第二次在 3 分钟内再次连续发送同一个账号邮件,应该直接拦截返回 429,防止邮箱轰炸
|
||||
// 第二次在 3 分钟内再次连续发送,触发 429 节流
|
||||
$response2 = $this->postJson(route('password.email'), [
|
||||
'username' => 'bomb_user',
|
||||
'email' => 'bomb.target@example.com',
|
||||
]);
|
||||
|
||||
$response2->assertStatus(429);
|
||||
|
||||
Reference in New Issue
Block a user