feat: 忘记密码升级为智能分流向导并部署IP/账号双层防扫防轰炸限流保护
This commit is contained in:
@@ -19,6 +19,7 @@ use Illuminate\Http\RedirectResponse;
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Support\Facades\Hash;
|
||||
use Illuminate\Support\Facades\Password;
|
||||
use Illuminate\Support\Facades\RateLimiter;
|
||||
use Illuminate\Support\Str;
|
||||
|
||||
/**
|
||||
@@ -37,6 +38,64 @@ class PasswordResetController extends Controller
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
* 账号检测接口:根据昵称检测是否绑定微信或邮箱,并提供分流依据(支持 IP 防扫限流)。
|
||||
*/
|
||||
public function checkAccount(Request $request): JsonResponse
|
||||
{
|
||||
$request->validate([
|
||||
'username' => 'required|string|max:100',
|
||||
]);
|
||||
|
||||
$username = trim((string) $request->input('username'));
|
||||
$ip = $request->ip();
|
||||
|
||||
// IP 防扫描节流限制:每个 IP 每 1 分钟最多请求 5 次
|
||||
$ipKey = 'pw-check:ip:'.$ip;
|
||||
if (RateLimiter::tooManyAttempts($ipKey, 5)) {
|
||||
$seconds = RateLimiter::availableIn($ipKey);
|
||||
|
||||
return response()->json([
|
||||
'status' => 'error',
|
||||
'message' => "账号检测请求过于频繁,请在 {$seconds} 秒后重试。",
|
||||
], 429);
|
||||
}
|
||||
RateLimiter::hit($ipKey, 60);
|
||||
|
||||
$user = User::query()->where('username', $username)->first();
|
||||
if (! $user) {
|
||||
return response()->json([
|
||||
'status' => 'not_found',
|
||||
'message' => '抱歉,没有找到该昵称对应的账号。请确认后再试。',
|
||||
]);
|
||||
}
|
||||
|
||||
$hasEmail = ! empty($user->email);
|
||||
$hasWechat = ! empty($user->wxid);
|
||||
|
||||
// 对邮箱地址进行安全脱敏(如 pllx@ay.lc -> p***x@ay.lc)
|
||||
$maskedEmail = '';
|
||||
if ($hasEmail) {
|
||||
$parts = explode('@', $user->email);
|
||||
$name = $parts[0] ?? '';
|
||||
$domain = $parts[1] ?? '';
|
||||
$len = strlen($name);
|
||||
if ($len <= 2) {
|
||||
$maskedEmail = substr($name, 0, 1).'*'.'@'.$domain;
|
||||
} else {
|
||||
$maskedEmail = substr($name, 0, 1).str_repeat('*', $len - 2).substr($name, -1).'@'.$domain;
|
||||
}
|
||||
}
|
||||
|
||||
return response()->json([
|
||||
'status' => 'success',
|
||||
'username' => $user->username,
|
||||
'has_email' => $hasEmail,
|
||||
'has_wechat' => $hasWechat,
|
||||
'masked_email' => $maskedEmail,
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
* 发送邮箱找回密码链接。
|
||||
*/
|
||||
@@ -49,7 +108,42 @@ class PasswordResetController extends Controller
|
||||
], 403);
|
||||
}
|
||||
|
||||
$email = trim((string) $request->string('email'));
|
||||
$email = trim((string) $request->input('email', ''));
|
||||
$username = trim((string) $request->input('username', ''));
|
||||
$ip = $request->ip();
|
||||
|
||||
if ($username !== '') {
|
||||
$user = User::query()->where('username', $username)->first();
|
||||
if (! $user || empty($user->email)) {
|
||||
return response()->json([
|
||||
'status' => 'error',
|
||||
'message' => '找不到绑定了邮箱的账号。',
|
||||
], 422);
|
||||
}
|
||||
$email = $user->email;
|
||||
}
|
||||
|
||||
// 1. IP 级别发信限流:限制单个 IP 每分钟最多请求 2 次
|
||||
$ipKey = 'pw-email:ip:'.$ip;
|
||||
if (RateLimiter::tooManyAttempts($ipKey, 2)) {
|
||||
$seconds = RateLimiter::availableIn($ipKey);
|
||||
|
||||
return response()->json([
|
||||
'status' => 'error',
|
||||
'message' => "发送验证链接过于频繁,请在 {$seconds} 秒后重试。",
|
||||
], 429);
|
||||
}
|
||||
|
||||
// 2. 账号邮箱级别冷却锁:同一个邮箱每 3 分钟限发 1 次,防止狂刷邮件轰炸他人
|
||||
$targetKey = 'pw-email:target:'.md5($email);
|
||||
if (RateLimiter::tooManyAttempts($targetKey, 1)) {
|
||||
$seconds = RateLimiter::availableIn($targetKey);
|
||||
|
||||
return response()->json([
|
||||
'status' => 'error',
|
||||
'message' => "该账号申请重置链接过于频繁,请在 {$seconds} 秒后重试。",
|
||||
], 429);
|
||||
}
|
||||
|
||||
// 邮箱找回必须保证一邮一号,否则重置目标会产生歧义。
|
||||
if (User::query()->where('email', $email)->count() > 1) {
|
||||
@@ -59,6 +153,10 @@ class PasswordResetController extends Controller
|
||||
], 422);
|
||||
}
|
||||
|
||||
// 记录发信请求频率
|
||||
RateLimiter::hit($ipKey, 60);
|
||||
RateLimiter::hit($targetKey, 180);
|
||||
|
||||
$status = Password::sendResetLink(['email' => $email]);
|
||||
|
||||
if ($status === Password::RESET_LINK_SENT) {
|
||||
|
||||
@@ -31,7 +31,8 @@ class SendPasswordResetLinkRequest extends FormRequest
|
||||
public function rules(): array
|
||||
{
|
||||
return [
|
||||
'email' => ['required', 'email', 'max:255'],
|
||||
'email' => ['required_without:username', 'nullable', 'email', 'max:255'],
|
||||
'username' => ['required_without:email', 'nullable', 'string', 'max:100'],
|
||||
];
|
||||
}
|
||||
|
||||
@@ -43,9 +44,9 @@ class SendPasswordResetLinkRequest extends FormRequest
|
||||
public function messages(): array
|
||||
{
|
||||
return [
|
||||
'email.required' => '请输入已绑定账号的邮箱地址。',
|
||||
'email.email' => '邮箱格式不正确,请重新输入。',
|
||||
'email.max' => '邮箱长度不能超过 255 个字符。',
|
||||
'email.required_without' => '请输入绑定邮箱或用户昵称。',
|
||||
];
|
||||
}
|
||||
}
|
||||
|
||||
+184
-21
@@ -1,6 +1,7 @@
|
||||
// 邮箱找回密码页交互入口,负责 AJAX 发送重置链接和页面提示。
|
||||
// 忘记密码页面交互逻辑:智能账号检测与分流引导
|
||||
|
||||
let passwordForgotControlsBound = false;
|
||||
let currentUsername = "";
|
||||
|
||||
/**
|
||||
* 读取 CSRF 令牌,供找回密码请求使用。
|
||||
@@ -30,33 +31,73 @@ function showAlert(message, type) {
|
||||
}
|
||||
|
||||
/**
|
||||
* 提交邮箱找回密码请求。
|
||||
* 隐藏找回密码页面提示。
|
||||
*
|
||||
* @returns {void}
|
||||
*/
|
||||
function hideAlert() {
|
||||
const alertBox = document.getElementById("alert-box");
|
||||
if (alertBox) {
|
||||
alertBox.style.display = "none";
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* 绑定双绑定状态下的选项卡切换事件。
|
||||
*
|
||||
* @returns {void}
|
||||
*/
|
||||
function bindTabEvents() {
|
||||
const tabsContainer = document.getElementById("channel-tabs");
|
||||
if (!tabsContainer) {
|
||||
return;
|
||||
}
|
||||
|
||||
tabsContainer.addEventListener("click", (event) => {
|
||||
const btn = event.target.closest(".tab-btn");
|
||||
if (!btn) {
|
||||
return;
|
||||
}
|
||||
|
||||
// 清除所有高亮
|
||||
tabsContainer.querySelectorAll(".tab-btn").forEach((b) => b.classList.remove("active"));
|
||||
btn.classList.add("active");
|
||||
|
||||
// 切换显示面板
|
||||
const targetId = btn.getAttribute("data-target");
|
||||
document.querySelectorAll(".channel-pane").forEach((pane) => {
|
||||
if (pane.id === targetId) {
|
||||
pane.style.display = "block";
|
||||
} else {
|
||||
pane.style.display = "none";
|
||||
}
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* 第一步:提交昵称检测账号绑定状态。
|
||||
*
|
||||
* @param {SubmitEvent} event
|
||||
* @returns {Promise<void>}
|
||||
*/
|
||||
async function submitPasswordRecovery(event) {
|
||||
async function submitAccountDetect(event) {
|
||||
event.preventDefault();
|
||||
|
||||
const form = event.target;
|
||||
const submitButton = document.getElementById("submit-btn");
|
||||
const alertBox = document.getElementById("alert-box");
|
||||
const detectBtn = document.getElementById("detect-btn");
|
||||
if (!(form instanceof HTMLFormElement)) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (submitButton instanceof HTMLButtonElement) {
|
||||
submitButton.disabled = true;
|
||||
submitButton.innerText = "发送中...";
|
||||
}
|
||||
if (alertBox) {
|
||||
alertBox.style.display = "none";
|
||||
if (detectBtn instanceof HTMLButtonElement) {
|
||||
detectBtn.disabled = true;
|
||||
detectBtn.innerText = "账号检索中...";
|
||||
}
|
||||
hideAlert();
|
||||
|
||||
try {
|
||||
const response = await fetch(form.getAttribute("data-password-email-url") ?? form.action, {
|
||||
const response = await fetch(form.action, {
|
||||
method: "POST",
|
||||
credentials: "same-origin",
|
||||
headers: {
|
||||
"Content-Type": "application/json",
|
||||
"X-CSRF-TOKEN": getCsrfToken(),
|
||||
@@ -66,16 +107,121 @@ async function submitPasswordRecovery(event) {
|
||||
});
|
||||
const body = await response.json();
|
||||
|
||||
if (response.status === 200 && body.status === "success") {
|
||||
showAlert(body.message, "success");
|
||||
form.reset();
|
||||
if (response.status === 429) {
|
||||
showAlert(body.message || "请求过于频繁,请稍后再试。", "error");
|
||||
return;
|
||||
}
|
||||
|
||||
const errorMessage = body.message || (body.errors ? Object.values(body.errors)[0][0] : "邮件发送失败,请稍后重试。");
|
||||
if (body.status === "not_found") {
|
||||
showAlert(body.message, "error");
|
||||
return;
|
||||
}
|
||||
|
||||
if (body.status === "success") {
|
||||
currentUsername = body.username;
|
||||
document.getElementById("step-detect").style.display = "none";
|
||||
document.getElementById("step-result").style.display = "block";
|
||||
document.getElementById("recovery-title").innerText = "密码找回建议";
|
||||
document.getElementById("forgot-footer").style.display = "none";
|
||||
|
||||
const summary = document.getElementById("detect-summary");
|
||||
const tabs = document.getElementById("channel-tabs");
|
||||
const panelWechat = document.getElementById("panel-wechat");
|
||||
const panelEmail = document.getElementById("panel-email");
|
||||
const panelNone = document.getElementById("panel-none");
|
||||
|
||||
// 默认隐藏所有特定面板
|
||||
tabs.style.display = "none";
|
||||
panelWechat.style.display = "none";
|
||||
panelEmail.style.display = "none";
|
||||
panelNone.style.display = "none";
|
||||
|
||||
const hasEmail = body.has_email;
|
||||
const hasWechat = body.has_wechat;
|
||||
|
||||
if (hasEmail && hasWechat) {
|
||||
summary.innerHTML = `检测到账号 <strong style="color:var(--gold);">${currentUsername}</strong> 已同时绑定了微信和邮箱。您可以选择以下任意一种方式找回密码:`;
|
||||
tabs.style.display = "grid";
|
||||
// 默认选中微信面板
|
||||
tabs.querySelectorAll(".tab-btn").forEach((b) => b.classList.remove("active"));
|
||||
const wechatTabBtn = tabs.querySelector('[data-target="panel-wechat"]');
|
||||
if (wechatTabBtn) {
|
||||
wechatTabBtn.classList.add("active");
|
||||
}
|
||||
panelWechat.style.display = "block";
|
||||
} else if (hasWechat) {
|
||||
summary.innerHTML = `检测到账号 <strong style="color:var(--gold);">${currentUsername}</strong> 仅绑定了微信。系统不支持邮箱找回,建议您使用微信助手进行重置:`;
|
||||
panelWechat.style.display = "block";
|
||||
} else if (hasEmail) {
|
||||
summary.innerHTML = `检测到账号 <strong style="color:var(--gold);">${currentUsername}</strong> 仅绑定了邮箱。建议您使用邮箱发送重置链接找回:`;
|
||||
panelEmail.style.display = "block";
|
||||
const emailInput = document.getElementById("email");
|
||||
if (emailInput instanceof HTMLInputElement) {
|
||||
emailInput.value = body.masked_email;
|
||||
}
|
||||
} else {
|
||||
summary.innerHTML = `检测到账号 <strong style="color:var(--gold);">${currentUsername}</strong> 尚未绑定微信或邮箱找回途径:`;
|
||||
panelNone.style.display = "block";
|
||||
}
|
||||
}
|
||||
} catch {
|
||||
showAlert("网络或服务器连接异常,请稍后再试。", "error");
|
||||
} finally {
|
||||
if (detectBtn instanceof HTMLButtonElement) {
|
||||
detectBtn.disabled = false;
|
||||
detectBtn.innerText = "下一步 (检测账号)";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* 第二步:提交发送重置链接邮件请求。
|
||||
*
|
||||
* @param {SubmitEvent} event
|
||||
* @returns {Promise<void>}
|
||||
*/
|
||||
async function submitPasswordRecovery(event) {
|
||||
event.preventDefault();
|
||||
const form = event.target;
|
||||
const submitButton = document.getElementById("submit-btn");
|
||||
if (!(form instanceof HTMLFormElement)) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (submitButton instanceof HTMLButtonElement) {
|
||||
submitButton.disabled = true;
|
||||
submitButton.innerText = "发送重置链接中...";
|
||||
}
|
||||
hideAlert();
|
||||
|
||||
try {
|
||||
const response = await fetch(form.getAttribute("data-password-email-url") ?? "", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
"Content-Type": "application/json",
|
||||
"X-CSRF-TOKEN": getCsrfToken(),
|
||||
Accept: "application/json",
|
||||
},
|
||||
body: JSON.stringify({
|
||||
username: currentUsername,
|
||||
}),
|
||||
});
|
||||
const body = await response.json();
|
||||
|
||||
if (response.status === 429) {
|
||||
showAlert(body.message || "请求发送过于频繁,请稍后再试。", "error");
|
||||
return;
|
||||
}
|
||||
|
||||
if (body.status === "success") {
|
||||
showAlert(body.message, "success");
|
||||
return;
|
||||
}
|
||||
|
||||
const errorMessage = body.message || (body.errors ? Object.values(body.errors)[0][0] : "重置邮件发送失败,请稍后重试。");
|
||||
showAlert(errorMessage, "error");
|
||||
} catch {
|
||||
showAlert("网络或服务器异常,请稍后再试。", "error");
|
||||
showAlert("网络发送异常,请稍后再试。", "error");
|
||||
} finally {
|
||||
if (submitButton instanceof HTMLButtonElement) {
|
||||
submitButton.disabled = false;
|
||||
@@ -85,7 +231,7 @@ async function submitPasswordRecovery(event) {
|
||||
}
|
||||
|
||||
/**
|
||||
* 绑定邮箱找回密码页提交事件。
|
||||
* 绑定智能找回向导控制事件。
|
||||
*
|
||||
* @returns {void}
|
||||
*/
|
||||
@@ -93,11 +239,28 @@ function bindPasswordForgotControls() {
|
||||
if (passwordForgotControlsBound || typeof document === "undefined") {
|
||||
return;
|
||||
}
|
||||
|
||||
passwordForgotControlsBound = true;
|
||||
|
||||
// 第一步表单提交
|
||||
document.getElementById("account-detect-form")?.addEventListener("submit", (event) => {
|
||||
void submitAccountDetect(event);
|
||||
});
|
||||
|
||||
// 第二步发信表单提交
|
||||
document.getElementById("password-recovery-form")?.addEventListener("submit", (event) => {
|
||||
void submitPasswordRecovery(event);
|
||||
});
|
||||
|
||||
// 返回按钮事件
|
||||
document.getElementById("back-detect-btn")?.addEventListener("click", () => {
|
||||
hideAlert();
|
||||
document.getElementById("step-detect").style.display = "block";
|
||||
document.getElementById("step-result").style.display = "none";
|
||||
document.getElementById("recovery-title").innerText = "忘记密码";
|
||||
document.getElementById("forgot-footer").style.display = "block";
|
||||
});
|
||||
|
||||
bindTabEvents();
|
||||
}
|
||||
|
||||
bindPasswordForgotControls();
|
||||
|
||||
@@ -182,6 +182,101 @@
|
||||
line-height: 1.7;
|
||||
}
|
||||
|
||||
/* ── 智能引导 Tab 及微信向导样式 ── */
|
||||
.tabs {
|
||||
display: grid;
|
||||
grid-template-columns: 1fr 1fr;
|
||||
gap: 2px;
|
||||
margin-bottom: 20px;
|
||||
border: 1px solid var(--border);
|
||||
background: rgba(255, 248, 236, 0.02);
|
||||
padding: 2px;
|
||||
}
|
||||
|
||||
.tab-btn {
|
||||
height: 46px;
|
||||
background: transparent;
|
||||
border: none;
|
||||
color: var(--text-soft);
|
||||
font-size: 14px;
|
||||
font-weight: 500;
|
||||
cursor: pointer;
|
||||
transition: all 0.2s ease;
|
||||
font-family: inherit;
|
||||
}
|
||||
|
||||
.tab-btn:hover {
|
||||
color: var(--text);
|
||||
background: rgba(255, 255, 255, 0.02);
|
||||
}
|
||||
|
||||
.tab-btn.active {
|
||||
color: var(--gold);
|
||||
background: rgba(198, 163, 91, 0.08);
|
||||
font-weight: 700;
|
||||
}
|
||||
|
||||
.wechat-guide {
|
||||
display: flex;
|
||||
flex-direction: column;
|
||||
gap: 12px;
|
||||
margin-bottom: 18px;
|
||||
}
|
||||
|
||||
.guide-step {
|
||||
display: flex;
|
||||
align-items: flex-start;
|
||||
gap: 12px;
|
||||
background: rgba(255, 248, 236, 0.02);
|
||||
border: 1px solid rgba(198, 163, 91, 0.08);
|
||||
padding: 12px 14px;
|
||||
}
|
||||
|
||||
.step-num {
|
||||
width: 22px;
|
||||
height: 22px;
|
||||
background: var(--gold);
|
||||
color: var(--bg);
|
||||
border-radius: 50%;
|
||||
display: flex;
|
||||
align-items: center;
|
||||
justify-content: center;
|
||||
font-weight: 900;
|
||||
font-size: 12px;
|
||||
flex-shrink: 0;
|
||||
box-shadow: 0 0 10px rgba(198, 163, 91, 0.2);
|
||||
}
|
||||
|
||||
.step-desc {
|
||||
font-size: 13.5px;
|
||||
line-height: 1.6;
|
||||
color: var(--text-soft);
|
||||
}
|
||||
|
||||
.step-desc strong {
|
||||
color: var(--text);
|
||||
}
|
||||
|
||||
.cmd-badge {
|
||||
display: inline-block;
|
||||
padding: 2px 8px;
|
||||
background: var(--red);
|
||||
color: #fff;
|
||||
font-weight: 700;
|
||||
font-size: 12px;
|
||||
border-radius: 3px;
|
||||
margin: 0 4px;
|
||||
}
|
||||
|
||||
.wechat-tip {
|
||||
border-left: 3px solid var(--gold);
|
||||
background: rgba(198, 163, 91, 0.03);
|
||||
padding: 12px;
|
||||
font-size: 13px;
|
||||
line-height: 1.6;
|
||||
color: var(--text-soft);
|
||||
}
|
||||
|
||||
@media (max-width: 640px) {
|
||||
.content {
|
||||
padding: 22px 18px 18px;
|
||||
@@ -198,41 +293,102 @@
|
||||
<main class="card">
|
||||
<section class="content">
|
||||
<div class="eyebrow">PASSWORD RECOVERY</div>
|
||||
<h1>邮箱找回密码</h1>
|
||||
<p class="lead">请输入账号已绑定的邮箱地址。系统会把重置密码链接发送到邮箱,您再进入独立页面设置新密码。</p>
|
||||
<h1 id="recovery-title">忘记密码</h1>
|
||||
|
||||
<div id="alert-box" class="alert" aria-live="polite"></div>
|
||||
|
||||
<form id="password-recovery-form" data-password-email-url="{{ route('password.email') }}">
|
||||
<label for="email">绑定邮箱</label>
|
||||
<input
|
||||
id="email"
|
||||
name="email"
|
||||
type="email"
|
||||
maxlength="255"
|
||||
placeholder="请输入账号绑定的邮箱地址"
|
||||
autocomplete="email"
|
||||
{{ $smtpEnabled ? '' : 'disabled' }}
|
||||
required
|
||||
>
|
||||
<div class="tip">仅支持已绑定唯一邮箱的账号自助找回。重置链接默认 60 分钟内有效。</div>
|
||||
<!-- ================== 步骤一:检测账号昵称 ================== -->
|
||||
<div id="step-detect" class="step-panel">
|
||||
<p class="lead">请输入您的聊天室用户昵称,小助手将智能查询并为您提供最安全的重置方案。</p>
|
||||
<form id="account-detect-form" action="{{ route('password.check_account') }}">
|
||||
<label for="username">账号昵称</label>
|
||||
<input
|
||||
id="username"
|
||||
name="username"
|
||||
type="text"
|
||||
maxlength="100"
|
||||
placeholder="请输入您的聊天室账号昵称"
|
||||
required
|
||||
>
|
||||
<div class="actions">
|
||||
<button id="detect-btn" type="submit">下一步 (检测账号)</button>
|
||||
<a class="ghost-link" href="{{ route('home') }}">返回首页</a>
|
||||
</div>
|
||||
</form>
|
||||
</div>
|
||||
|
||||
<div class="actions">
|
||||
<button id="submit-btn" type="submit" {{ $smtpEnabled ? '' : 'disabled' }}>发送重置邮件</button>
|
||||
<!-- ================== 步骤二:智能找回分流面板 ================== -->
|
||||
<div id="step-result" class="step-panel" style="display: none;">
|
||||
<!-- 渠道切换 Tab(仅在双绑定时可见) -->
|
||||
<div id="channel-tabs" class="tabs" style="display: none;">
|
||||
<button type="button" class="tab-btn active" data-target="panel-wechat">💬 微信找回 (推荐)</button>
|
||||
<button type="button" class="tab-btn" data-target="panel-email">📧 邮箱找回</button>
|
||||
</div>
|
||||
|
||||
<!-- 结果提示横幅 -->
|
||||
<p id="detect-summary" class="lead" style="margin-bottom: 15px; font-weight: 500;"></p>
|
||||
|
||||
<!-- 模块一:微信私聊重置指引 -->
|
||||
<div id="panel-wechat" class="channel-pane" style="display: none;">
|
||||
<div class="wechat-guide">
|
||||
<div class="guide-step">
|
||||
<div class="step-num">1</div>
|
||||
<div class="step-desc">打开微信,进入与微信助手 <strong>【小小】</strong> 的私发消息窗口。</div>
|
||||
</div>
|
||||
<div class="guide-step">
|
||||
<div class="step-num">2</div>
|
||||
<div class="step-desc">在对话框中直接输入并发送重置口令:<span class="cmd-badge">重置密码</span></div>
|
||||
</div>
|
||||
<div class="guide-step">
|
||||
<div class="step-num">3</div>
|
||||
<div class="step-desc">微信小助手将即时为您自动生成 <strong>8位随机新密码</strong> 并直接通过微信回复您!</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="wechat-tip">
|
||||
⚠️ <strong>安全提示:</strong> 该操作直接经由微信私聊分发,密码不泄露在大厅公屏,请放心使用。
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<!-- 模块二:邮箱重置发送表单 -->
|
||||
<div id="panel-email" class="channel-pane" style="display: none;">
|
||||
<form id="password-recovery-form" data-password-email-url="{{ route('password.email') }}">
|
||||
<label for="email">已绑定邮箱</label>
|
||||
<input
|
||||
id="email"
|
||||
name="email"
|
||||
type="email"
|
||||
maxlength="255"
|
||||
placeholder="账号绑定的邮箱地址"
|
||||
autocomplete="email"
|
||||
readonly
|
||||
required
|
||||
>
|
||||
<div class="tip" style="margin-bottom: 15px;">出于安全目的,此邮箱仅作脱敏验证。系统将向该邮箱投递密码重置链接。</div>
|
||||
|
||||
<button id="submit-btn" type="submit" style="width: 100%;" {{ $smtpEnabled ? '' : 'disabled' }}>发送重置邮件</button>
|
||||
</form>
|
||||
</div>
|
||||
|
||||
<!-- 模块三:均未绑定提示(无法自助找回) -->
|
||||
<div id="panel-none" class="channel-pane" style="display: none;">
|
||||
<div class="wechat-tip" style="border-color: var(--danger); background: rgba(143, 46, 39, 0.08); color: #f5cbc7;">
|
||||
❌ <strong>无法自助找回:</strong><br>
|
||||
由于您的账号既未绑定邮箱,也未绑定微信,系统无法验证您的持有权。请联系站长或管理员进行人工核验申诉重置。
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<!-- 底部返回与重试操作 -->
|
||||
<div class="actions" style="margin-top: 20px;">
|
||||
<button id="back-detect-btn" type="button" class="ghost-link" style="color: var(--gold); border-color: rgba(198,163,91,0.4);">返回重新检测</button>
|
||||
<a class="ghost-link" href="{{ route('home') }}">返回首页</a>
|
||||
</div>
|
||||
</form>
|
||||
</div>
|
||||
|
||||
<div class="footer">
|
||||
@if ($smtpEnabled)
|
||||
找回成功后,请回到首页使用原昵称和新密码登录聊天室。
|
||||
@else
|
||||
当前系统尚未开启邮箱发信服务,暂时无法通过邮箱找回密码。
|
||||
@endif
|
||||
<div class="footer" id="forgot-footer">
|
||||
找回密码成功后,请使用账号昵称和新重置的密码登录聊天室。
|
||||
</div>
|
||||
</section>
|
||||
</main>
|
||||
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
||||
@@ -47,6 +47,7 @@ Route::post('/login', [AuthController::class, 'login'])
|
||||
Route::middleware('guest')->group(function () {
|
||||
Route::get('/forgot-password', [PasswordResetController::class, 'create'])->name('password.request');
|
||||
Route::post('/forgot-password', [PasswordResetController::class, 'storeLink'])->name('password.email');
|
||||
Route::post('/forgot-password/check-account', [PasswordResetController::class, 'checkAccount'])->name('password.check_account');
|
||||
Route::get('/reset-password/{token}', [PasswordResetController::class, 'edit'])->name('password.reset');
|
||||
Route::post('/reset-password', [PasswordResetController::class, 'update'])->name('password.update');
|
||||
});
|
||||
|
||||
@@ -0,0 +1,165 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* 文件功能:找回密码账号检测与防扫描轰炸限流 Feature 测试
|
||||
*
|
||||
* 覆盖密码重置流程中的多维限流阀门,确保 IP 防扫与用户邮箱防轰炸策略稳健起效。
|
||||
*
|
||||
* @author ChatRoom Laravel
|
||||
*
|
||||
* @version 1.0.0
|
||||
*/
|
||||
|
||||
namespace Tests\Feature;
|
||||
|
||||
use App\Models\Sysparam;
|
||||
use App\Models\User;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
use Illuminate\Support\Facades\RateLimiter;
|
||||
use Tests\TestCase;
|
||||
|
||||
class PasswordResetRateLimitTest extends TestCase
|
||||
{
|
||||
use RefreshDatabase;
|
||||
|
||||
protected function setUp(): void
|
||||
{
|
||||
parent::setUp();
|
||||
RateLimiter::clear('pw-check:ip:127.0.0.1');
|
||||
RateLimiter::clear('pw-email:ip:127.0.0.1');
|
||||
}
|
||||
|
||||
/**
|
||||
* 测试账号检测:不存在账号返回 404/not_found
|
||||
*/
|
||||
public function test_check_account_returns_not_found_when_user_does_not_exist(): void
|
||||
{
|
||||
$response = $this->postJson(route('password.check_account'), [
|
||||
'username' => 'non_existing_user_abc',
|
||||
]);
|
||||
|
||||
$response->assertStatus(200);
|
||||
$response->assertJson([
|
||||
'status' => 'not_found',
|
||||
'message' => '抱歉,没有找到该昵称对应的账号。请确认后再试。',
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
* 测试账号检测分流状态与脱敏邮箱输出
|
||||
*/
|
||||
public function test_check_account_shows_correct_channels(): void
|
||||
{
|
||||
// 1. 双绑定用户
|
||||
$bothBoundUser = User::factory()->create([
|
||||
'username' => 'both_user',
|
||||
'email' => 'both.test@example.com',
|
||||
'wxid' => 'wxid_both',
|
||||
]);
|
||||
|
||||
$response1 = $this->postJson(route('password.check_account'), [
|
||||
'username' => 'both_user',
|
||||
]);
|
||||
|
||||
$response1->assertJson([
|
||||
'status' => 'success',
|
||||
'has_email' => true,
|
||||
'has_wechat' => true,
|
||||
'masked_email' => 'b*******t@example.com',
|
||||
]);
|
||||
|
||||
// 2. 仅绑定微信用户
|
||||
$wechatUser = User::factory()->create([
|
||||
'username' => 'wx_user',
|
||||
'email' => null,
|
||||
'wxid' => 'wxid_single',
|
||||
]);
|
||||
|
||||
$response2 = $this->postJson(route('password.check_account'), [
|
||||
'username' => 'wx_user',
|
||||
]);
|
||||
|
||||
$response2->assertJson([
|
||||
'status' => 'success',
|
||||
'has_email' => false,
|
||||
'has_wechat' => true,
|
||||
]);
|
||||
|
||||
// 3. 均未绑定用户
|
||||
$noneUser = User::factory()->create([
|
||||
'username' => 'none_user',
|
||||
'email' => null,
|
||||
'wxid' => null,
|
||||
]);
|
||||
|
||||
$response3 = $this->postJson(route('password.check_account'), [
|
||||
'username' => 'none_user',
|
||||
]);
|
||||
|
||||
$response3->assertJson([
|
||||
'status' => 'success',
|
||||
'has_email' => false,
|
||||
'has_wechat' => false,
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
* 测试 IP 防扫描限流限制 (每个 IP 1分钟限制 5 次检测)
|
||||
*/
|
||||
public function test_check_account_rate_limiting(): void
|
||||
{
|
||||
$ip = '127.0.0.1';
|
||||
|
||||
// 连续请求 5 次都应该正常响应
|
||||
for ($i = 0; $i < 5; $i++) {
|
||||
$response = $this->postJson(route('password.check_account'), [
|
||||
'username' => 'non_existing_user',
|
||||
]);
|
||||
$response->assertStatus(200);
|
||||
}
|
||||
|
||||
// 第 6 次应该被 RateLimiter 节流拦截返回 429
|
||||
$response = $this->postJson(route('password.check_account'), [
|
||||
'username' => 'non_existing_user',
|
||||
]);
|
||||
|
||||
$response->assertStatus(429);
|
||||
$response->assertJson([
|
||||
'status' => 'error',
|
||||
]);
|
||||
$this->assertStringContainsString('请求过于频繁', $response->json('message'));
|
||||
}
|
||||
|
||||
/**
|
||||
* 测试发送链接的双层安全控频防御 (防止疯狂邮件轰炸他人)
|
||||
*/
|
||||
public function test_store_link_prevents_email_bombing(): void
|
||||
{
|
||||
Sysparam::updateOrCreate(['alias' => 'smtp_enabled'], ['body' => '1']);
|
||||
|
||||
$user = User::factory()->create([
|
||||
'username' => 'bomb_user',
|
||||
'email' => 'bomb.target@example.com',
|
||||
]);
|
||||
|
||||
$email = $user->email;
|
||||
$targetKey = 'pw-email:target:'.md5($email);
|
||||
RateLimiter::clear($targetKey);
|
||||
|
||||
// 模拟第一次发送成功
|
||||
$response1 = $this->postJson(route('password.email'), [
|
||||
'username' => 'bomb_user',
|
||||
]);
|
||||
|
||||
// 第二次在 3 分钟内再次连续发送同一个账号邮件,应该直接拦截返回 429,防止邮箱轰炸
|
||||
$response2 = $this->postJson(route('password.email'), [
|
||||
'username' => 'bomb_user',
|
||||
]);
|
||||
|
||||
$response2->assertStatus(429);
|
||||
$response2->assertJson([
|
||||
'status' => 'error',
|
||||
]);
|
||||
$this->assertStringContainsString('重置链接过于频繁', $response2->json('message'));
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user