19 Commits

Author SHA1 Message Date
pllx 7b46a08a46 fix: 修复安全弹窗桥接后设置面板无法关闭的Bug 2026-07-01 11:27:40 +08:00
pllx 0006b7bcf6 feat: 登录大厅未设邮箱且未绑微信强引导弹窗并适配会话级防骚扰 2026-07-01 11:24:30 +08:00
pllx 563ac99348 feat: 忘记密码增设局部焦点提示及发信成功30秒防刷置灰倒计时锁 2026-07-01 11:16:09 +08:00
pllx 94236e25eb feat: 忘记密码增设脱敏邮箱二次手动输入一致性核对安全锁 2026-07-01 11:13:46 +08:00
pllx b098639db5 feat: 忘记密码升级为智能分流向导并部署IP/账号双层防扫防轰炸限流保护 2026-07-01 11:11:20 +08:00
pllx 879dcb0b59 feat: 微信端私聊机器人支持绑定微信号的密码自助重置功能,并提供反射自动化测试 2026-07-01 10:53:24 +08:00
pllx fcc88ecb0c fix: 豁免超级管理员(站长)在执行管理命令时必须在房间内的限制 2026-07-01 09:53:49 +08:00
pllx e8d9de51f8 fix: 对 AI小班长 等系统虚拟角色豁免警告时的在线状态校验 2026-07-01 09:53:14 +08:00
pllx b19ebdc7d8 style: 优化前台警告消息样式,标红、加大并加粗以提升视觉张力 2026-07-01 09:52:04 +08:00
pllx d8cb75d282 docs: 完善部署说明文档,补充 Octane 代理说明及 WebSocket 协议升级避坑指南 2026-06-30 14:20:55 +08:00
pllx 9fd7b14ec7 fix: 完全还原大厅页面,只保留导航栏作为百家乐的直达入口 2026-06-30 14:14:21 +08:00
pllx fc28fe37c6 fix: 移除大厅页面上多余的非百家乐操作按钮 2026-06-30 14:13:37 +08:00
pllx 524c8ed6f3 feat: 新建前台百家乐历史走势页面与珠盘路,打通大厅与导航栏快捷入口 2026-06-30 14:12:45 +08:00
pllx 394e216b92 dev: 添加 chokidar 依赖以支持开发环境下的 Octane 代码热重载(watch) 2026-06-30 13:38:46 +08:00
pllx b8a6c9d0c2 perf: 编写并执行数据库迁移,为 messages 表添加 (room_id, sent_at) 联合索引以消除慢查询 2026-06-30 11:38:38 +08:00
pllx be1406fc58 perf: 引入 laravel/octane 并安装常驻服务 Roadrunner 引擎,消除每次请求框架初始化开销 2026-06-30 11:38:35 +08:00
pllx 83192ffcce perf: 重构敏感词过滤为DFA算法,并引入WebSocket房间频道鉴权Redis缓存 2026-06-30 11:32:55 +08:00
pllx b19073cf85 perf: 优化挂机心跳接口,无奖励变动心跳拒绝写库save,仅在Redis保活以释放I/O压力 2026-06-30 11:32:53 +08:00
pllx 3563b45038 feat: 引入事务悲观锁(lockForUpdate)与余额二次校验,防范高并发资产越权与透支漏洞 2026-06-30 11:32:52 +08:00
32 changed files with 3572 additions and 334 deletions
+2
View File
@@ -38,3 +38,5 @@ dump.rdb
# AI 生成文件
AGENTS.md
GEMINI.md
rr
.rr.yaml
+70 -44
View File
@@ -186,52 +186,66 @@ php artisan view:cache
### 6. Nginx 配置
在宝塔面板的 Nginx 配置中,需要添加 WebSocket 反向代理。
为了让外界能够通过 HTTPS 正常访问常驻内存服务器(Roadrunner 8000端口)以及实时 WebSocket 广播(Reverb 8080端口),需要在宝塔面板的 Nginx 配置中进行反向代理。
**第一步:** `server {}`**外面上方**添加
`server {}` 块**内部**`#REWRITE-END` 之后,禁止访问敏感文件之前)添加以下配置
```nginx
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# ── 1. 静态资源优先由 Nginx 直接响应,动态请求分流给 Octane ──
location / {
try_files $uri $uri/ @octane;
}
# ── 2. API、心跳等动态请求反向代理到本地 8000 端口 (Octane / Roadrunner) ──
location @octane {
proxy_set_header Host $http_host;
proxy_set_header Scheme $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8000;
}
# ── 3. ⚡ WebSocket 实时广播反向代理 (Laravel Reverb 8080端口) ──
# 浏览器通过 /app 和 /apps 路径发起 WebSocket 连接
location /app {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
# 避坑提示:某些宝塔环境全局未配置 $connection_upgrade 变量,
# 直接写死 "Upgrade" 能 100% 避免 500 代理握手失败。
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket 长连接保活:120秒无数据才断开
proxy_read_timeout 120s;
proxy_send_timeout 120s;
proxy_buffering off;
}
location /apps {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 120s;
proxy_send_timeout 120s;
proxy_buffering off;
}
```
**第二步:** 在 `server {}` 块**内部**`#REWRITE-END` 之后)添加:
```nginx
location /app {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 120s;
proxy_send_timeout 120s;
proxy_buffering off;
}
location /apps {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 120s;
proxy_send_timeout 120s;
proxy_buffering off;
}
```
**第三步:** 在宝塔面板 → 网站 → 伪静态中选择 `laravel5`
**第四步:** 测试并重载 Nginx:
**测试并重载 Nginx**
```bash
nginx -t && systemctl reload nginx
@@ -241,7 +255,7 @@ nginx -t && systemctl reload nginx
### 7. Supervisor 守护进程(关键!)
在宝塔面板 → 软件商店 → 安装「Supervisor管理器」,然后添加个守护进程:
在宝塔面板 → 软件商店 → 安装「Supervisor管理器」,然后添加个守护进程,确保长连接和心跳在后台持续运行
#### 进程一:Laravel ReverbWebSocket 服务器)
@@ -250,6 +264,7 @@ nginx -t && systemctl reload nginx
| 名称 | `chatroom-reverb` |
| 运行目录 | `/www/wwwroot/chat.ay.lc` |
| 启动命令 | `php artisan reverb:start` |
| 运行用户 | `www` |
| 进程数量 | `1` |
#### 进程二:Laravel Horizon(队列处理器)
@@ -259,12 +274,23 @@ nginx -t && systemctl reload nginx
| 名称 | `chatroom-horizon` |
| 运行目录 | `/www/wwwroot/chat.ay.lc` |
| 启动命令 | `php artisan horizon` |
| 运行用户 | `www` |
| 进程数量 | `1` |
#### 进程三:Laravel OctaneRoadrunner 常驻内存服务)
| 配置项 | 值 |
| -------- | ---------------------------------------------------------- |
| 名称 | `chatroom-octane` |
| 运行目录 | `/www/wwwroot/chat.ay.lc` |
| 启动命令 | `php artisan octane:start --server=roadrunner --port=8000` |
| 运行用户 | `www` |
| 进程数量 | `1` |
> ⚠️ **如果不配置 Supervisor**
>
> - 关闭 SSH 终端后,ReverbHorizon 会立刻停止
> - 聊天室将无法发送/接收消息,在线列表为空
> - 关闭 SSH 终端后,ReverbHorizon 和 Octane 会立刻停止运行,导致聊天室无法打开或无法收发消息!
> - **更新代码后**:当您在服务器上完成 `git pull` 后,需要运行 `php artisan octane:reload` 重新载入内存,代码才会生效。
---
@@ -107,6 +107,44 @@ class ConsumeWechatMessages extends Command
$this->info("收到潜在绑定请求: {$content} from {$fromUser}");
$this->handleBindRequest(strtoupper($content), $fromUser, $apiService);
}
// 微信密码重置逻辑:必须是私聊
if (! $isChatroom && str_contains($content, '重置密码')) {
$this->info("收到微信密码重置请求 from {$fromUser}");
$this->handlePasswordResetRequest($fromUser, $apiService);
}
}
/**
* 处理微信端的自助密码重置请求
*/
protected function handlePasswordResetRequest(string $wxid, WechatBotApiService $apiService): void
{
// 检索绑定了该微信号的聊天室用户
$user = User::where('wxid', $wxid)->first();
if (! $user) {
$apiService->sendTextMessage(
$wxid,
"❌ 密码重置失败:您当前的微信号尚未绑定任何聊天室账号。\n\n"
.'请先登录聊天室大厅,在个人设置中获取 6 位绑定码,然后再在微信中向我发送“BD-绑定码”(例如: BD-123456)进行绑定。'
);
return;
}
// 随机生成 8 位新随机密码并更新
$newPassword = \Illuminate\Support\Str::random(8);
$user->password = \Illuminate\Support\Facades\Hash::make($newPassword);
$user->save();
$successMsg = "🎉 密码重置成功!\n"
."本小助手已为您绑定的聊天室账号 [{$user->username}] 重新生成了密码:\n\n"
."{$newPassword}\n\n"
.'温馨提示:请使用此随机密码登录聊天室,并尽快在个人偏好设置中将其修改为您的常用密码。';
$apiService->sendTextMessage($wxid, $successMsg);
$this->info("微信用户 [{$user->username}] 已通过微信机器人成功重置了密码");
}
/**
@@ -599,8 +599,8 @@ class AdminCommandController extends Controller
return ['ok' => false, 'message' => '无权进入该房间,不能执行管理命令'];
}
// 管理命令只能作用于操作者当前所在房间,防止手工 POST 跨房间操作。
if (! $this->chatState->isUserInRoom($roomId, $operator->username)) {
// 超级管理员(站长 id = 1)豁免必须进房的限制,允许全局管理;普通管理员必须在房间内方可管理
if ($operator->id !== 1 && ! $this->chatState->isUserInRoom($roomId, $operator->username)) {
return ['ok' => false, 'message' => '请先进入该房间后再执行管理命令'];
}
@@ -614,6 +614,11 @@ class AdminCommandController extends Controller
*/
private function authorizeTargetOnlineInRoom(int $roomId, string $targetUsername): array
{
// 系统虚拟机器人账号豁免在线状态校验,允许测试与交互警告
if (in_array($targetUsername, ['AI小班长', '星海小博士'])) {
return ['ok' => true, 'message' => '校验通过'];
}
if (! $this->chatState->isUserInRoom($roomId, $targetUsername)) {
return ['ok' => false, 'message' => '目标用户不在当前房间,无法执行该操作'];
}
+46 -7
View File
@@ -19,6 +19,7 @@ use App\Enums\CurrencySource;
use App\Models\BaccaratBet;
use App\Models\BaccaratRound;
use App\Models\GameConfig;
use App\Models\User;
use App\Services\BaccaratLossCoverService;
use App\Services\GameBetBroadcastService;
use App\Services\GameRoomScopeService;
@@ -133,7 +134,7 @@ class BaccaratController extends Controller
$user = $request->user();
// 检查用户金币余额(金币字段为 jjb
// 快速过滤(非锁
if (($user->jjb ?? 0) < $data['amount']) {
return response()->json(['ok' => false, 'message' => '金币不足,无法下注。']);
}
@@ -142,10 +143,21 @@ class BaccaratController extends Controller
$lossCoverService = $this->lossCoverService;
return DB::transaction(function () use ($user, $round, $data, $currency, $lossCoverService): JsonResponse {
// 幂等:同一局只能下一注
// 1. 悲观锁锁定用户行
$lockedUser = User::query()
->whereKey($user->id)
->lockForUpdate()
->firstOrFail();
// 2. 锁保护下二次校验余额
if ((int) $lockedUser->jjb < $data['amount']) {
return response()->json(['ok' => false, 'message' => '金币不足,无法下注。']);
}
// 3. 幂等:同一局只能下一注
$existing = BaccaratBet::query()
->where('round_id', $round->id)
->where('user_id', $user->id)
->where('user_id', $lockedUser->id)
->lockForUpdate()
->exists();
@@ -153,9 +165,9 @@ class BaccaratController extends Controller
return response()->json(['ok' => false, 'message' => '本局您已下注,请等待开奖。']);
}
// 扣除金币
// 4. 扣除金币,传入锁定的用户实例
$currency->change(
$user,
$lockedUser,
'gold',
-$data['amount'],
CurrencySource::BACCARAT_BET,
@@ -167,16 +179,19 @@ class BaccaratController extends Controller
// 下注时间命中活动窗口时,将本次下注挂到对应的买单活动下。
$lossCoverEvent = $lossCoverService->findEventForBetTime(now());
// 写入下注记录
// 5. 写入下注记录
$bet = BaccaratBet::create([
'round_id' => $round->id,
'user_id' => $user->id,
'user_id' => $lockedUser->id,
'loss_cover_event_id' => $lossCoverEvent?->id,
'bet_type' => $data['bet_type'],
'amount' => $data['amount'],
'status' => 'pending',
]);
// 同步修改 Auth 内存实例的金币
$user->setAttribute('jjb', $lockedUser->jjb);
// 命中活动的下注要同步累计到用户活动记录中,便于后续前台查看。
$lossCoverService->registerBet($bet);
@@ -220,4 +235,28 @@ class BaccaratController extends Controller
return response()->json(['history' => $rounds]);
}
/**
* 前台百家乐历史走势与开奖页面。
*/
public function historyPage(Request $request): \Illuminate\View\View
{
// 1. 各选项的历史分布统计
$summary = [
'total_rounds' => BaccaratRound::query()->where('status', 'settled')->count(),
'result_dist' => BaccaratRound::query()
->where('status', 'settled')
->select('result', \Illuminate\Support\Facades\DB::raw('count(*) as cnt'))
->groupBy('result')
->pluck('cnt', 'result'),
];
// 2. 分页拉取所有已结算的局次
$rounds = BaccaratRound::query()
->where('status', 'settled')
->orderByDesc('id')
->paginate(30);
return view('rooms.baccarat-history', compact('rounds', 'summary'));
}
}
+75 -27
View File
@@ -17,7 +17,6 @@ use App\Enums\CurrencySource;
use App\Models\BankLog;
use App\Models\Sysparam;
use App\Models\User;
use App\Models\UserCurrencyLog;
use App\Services\UserCurrencyService;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
@@ -32,6 +31,7 @@ class BankController extends Controller
public function __construct(
private readonly UserCurrencyService $currencyService,
) {}
/**
* 查询银行余额及最近20条流水记录
*/
@@ -105,6 +105,7 @@ class BankController extends Controller
$amount = $request->integer('amount');
$user = Auth::user();
// 快速过滤(非锁),降低非法请求穿透到数据库的概率
if (($user->jjb ?? 0) < $amount) {
return response()->json([
'status' => 'error',
@@ -112,26 +113,49 @@ class BankController extends Controller
]);
}
DB::transaction(function () use ($user, $amount): void {
$this->currencyService->change($user, 'gold', -$amount, CurrencySource::BANK_DEPOSIT, "存入银行 {$amount} 金币");
try {
DB::transaction(function () use ($user, $amount): void {
// 1. 强制在数据库层面对用户行数据加写锁(X锁)
$lockedUser = User::query()
->whereKey($user->id)
->lockForUpdate()
->firstOrFail();
$user->increment('bank_jjb', $amount);
// 2. 在锁保护下安全校验最新余额
if ((int) $lockedUser->jjb < $amount) {
throw new \Exception('流通金币不足!当前余额 '.(int) $lockedUser->jjb." 枚,无法存入 {$amount} 枚。");
}
BankLog::create([
'user_id' => $user->id,
'type' => 'deposit',
'amount' => $amount,
'balance_after' => $user->fresh()->bank_jjb,
// 3. 执行资产扣除,将已加锁的 lockedUser 传给 change 方法
$this->currencyService->change($lockedUser, 'gold', -$amount, CurrencySource::BANK_DEPOSIT, "存入银行 {$amount} 金币");
// 4. 增加银行余额
$lockedUser->increment('bank_jjb', $amount);
// 5. 写入银行流水记录
BankLog::create([
'user_id' => $lockedUser->id,
'type' => 'deposit',
'amount' => $amount,
'balance_after' => $lockedUser->fresh()->bank_jjb,
]);
// 6. 同步 Auth 内存状态,保障同生命周期内其他地方拿到的是正确数据
$user->setAttribute('jjb', $lockedUser->jjb);
$user->setAttribute('bank_jjb', $lockedUser->bank_jjb);
});
} catch (\Exception $e) {
return response()->json([
'status' => 'error',
'message' => $e->getMessage(),
]);
});
$fresh = $user->fresh();
}
return response()->json([
'status' => 'success',
'message' => "成功存入 {$amount} 枚金币!",
'jjb' => $fresh->jjb,
'bank_jjb' => $fresh->bank_jjb,
'jjb' => $user->jjb,
'bank_jjb' => $user->bank_jjb,
]);
}
@@ -149,6 +173,7 @@ class BankController extends Controller
$amount = $request->integer('amount');
$user = Auth::user();
// 快速过滤(非锁)
if (($user->bank_jjb ?? 0) < $amount) {
return response()->json([
'status' => 'error',
@@ -156,26 +181,49 @@ class BankController extends Controller
]);
}
DB::transaction(function () use ($user, $amount): void {
$user->decrement('bank_jjb', $amount);
try {
DB::transaction(function () use ($user, $amount): void {
// 1. 强制在数据库层面对用户行数据加写锁(X锁)
$lockedUser = User::query()
->whereKey($user->id)
->lockForUpdate()
->firstOrFail();
$this->currencyService->change($user, 'gold', $amount, CurrencySource::BANK_WITHDRAW, "取出银行存款 {$amount} 金币");
// 2. 校验银行存款是否足够
if ((int) $lockedUser->bank_jjb < $amount) {
throw new \Exception('银行余额不足!当前存款 '.($lockedUser->bank_jjb ?? 0)." 枚,无法取出 {$amount} 枚。");
}
BankLog::create([
'user_id' => $user->id,
'type' => 'withdraw',
'amount' => $amount,
'balance_after' => $user->fresh()->bank_jjb,
// 3. 扣除银行存款
$lockedUser->decrement('bank_jjb', $amount);
// 4. 增加流通金币并记录划转日志
$this->currencyService->change($lockedUser, 'gold', $amount, CurrencySource::BANK_WITHDRAW, "取出银行存款 {$amount} 金币");
// 5. 记录银行账户流水
BankLog::create([
'user_id' => $lockedUser->id,
'type' => 'withdraw',
'amount' => $amount,
'balance_after' => $lockedUser->fresh()->bank_jjb,
]);
// 6. 同步 Auth 内存状态
$user->setAttribute('jjb', $lockedUser->jjb);
$user->setAttribute('bank_jjb', $lockedUser->bank_jjb);
});
} catch (\Exception $e) {
return response()->json([
'status' => 'error',
'message' => $e->getMessage(),
]);
});
$fresh = $user->fresh();
}
return response()->json([
'status' => 'success',
'message' => "成功取出 {$amount} 枚金币!",
'jjb' => $fresh->jjb,
'bank_jjb' => $fresh->bank_jjb,
'jjb' => $user->jjb,
'bank_jjb' => $user->bank_jjb,
]);
}
+10 -5
View File
@@ -619,15 +619,20 @@ class ChatController extends Controller
$superLevel = (int) Sysparam::getValue('superlevel', '100');
$leveledUp = $this->calculateNewLevel($user, $superLevel);
$user->save(); // 存点入库
$hasChanges = $leveledUp || ($canGainReward && ($actualExpGain > 0 || $actualJjbGain > 0));
if ($hasChanges) {
$user->save(); // 存点入库
// 将新的等级与资产状态反馈给当前用户的在线名单上,确保别人查看到的也是最准确等级
$this->chatState->userJoin($id, $user->username, $this->chatUserPresenceService->build($user));
} else {
// 无变动时,仅在 Redis 层面保活该用户的在线状态,拒绝写库并减少 Redis HSET 负荷
$this->chatState->refreshAlive($id, $user->username);
}
// 手动心跳存点:同步更新在职用户的勤务时长
$this->tickDutyLog($user, $id);
// 3. 将新的等级反馈给当前用户的在线名单上
// 确保刚刚升级后别人查看到的也是最准确等级
$this->chatState->userJoin($id, $user->username, $this->chatUserPresenceService->build($user));
// 4. 如果突破境界,向全房系统喊话广播!
if ($leveledUp) {
// 生成炫酷广播消息发向该频道
+16 -1
View File
@@ -24,6 +24,7 @@ use App\Events\GomokuInviteEvent;
use App\Events\GomokuMovedEvent;
use App\Models\GameConfig;
use App\Models\GomokuGame;
use App\Models\User;
use App\Services\GameRoomScopeService;
use App\Services\GomokuAiService;
use App\Services\UserCurrencyService;
@@ -92,13 +93,27 @@ class GomokuController extends Controller
return DB::transaction(function () use ($user, $data, $entryFee): JsonResponse {
// PvE 扣除入场费
if ($entryFee > 0) {
// 1. 悲观锁锁定用户行
$lockedUser = User::query()
->whereKey($user->id)
->lockForUpdate()
->firstOrFail();
// 2. 二次确认金币是否足够
if ((int) $lockedUser->jjb < $entryFee) {
return response()->json(['ok' => false, 'message' => '金币不足,无法加入游戏对局。']);
}
$this->currency->change(
$user,
$lockedUser,
'gold',
-$entryFee,
CurrencySource::GOMOKU_ENTRY_FEE,
"五子棋 AI 对战入场费(难度{$data['ai_level']}",
);
// 同步修改 Auth 内存实例的金币
$user->setAttribute('jjb', $lockedUser->jjb);
}
$timeout = (int) GameConfig::param('gomoku', 'invite_timeout', 60);
@@ -19,6 +19,7 @@ use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Password;
use Illuminate\Support\Facades\RateLimiter;
use Illuminate\Support\Str;
/**
@@ -37,6 +38,64 @@ class PasswordResetController extends Controller
]);
}
/**
* 账号检测接口:根据昵称检测是否绑定微信或邮箱,并提供分流依据(支持 IP 防扫限流)。
*/
public function checkAccount(Request $request): JsonResponse
{
$request->validate([
'username' => 'required|string|max:100',
]);
$username = trim((string) $request->input('username'));
$ip = $request->ip();
// IP 防扫描节流限制:每个 IP 每 1 分钟最多请求 5 次
$ipKey = 'pw-check:ip:'.$ip;
if (RateLimiter::tooManyAttempts($ipKey, 5)) {
$seconds = RateLimiter::availableIn($ipKey);
return response()->json([
'status' => 'error',
'message' => "账号检测请求过于频繁,请在 {$seconds} 秒后重试。",
], 429);
}
RateLimiter::hit($ipKey, 60);
$user = User::query()->where('username', $username)->first();
if (! $user) {
return response()->json([
'status' => 'not_found',
'message' => '抱歉,没有找到该昵称对应的账号。请确认后再试。',
]);
}
$hasEmail = ! empty($user->email);
$hasWechat = ! empty($user->wxid);
// 对邮箱地址进行安全脱敏(如 pllx@ay.lc -> p***x@ay.lc
$maskedEmail = '';
if ($hasEmail) {
$parts = explode('@', $user->email);
$name = $parts[0] ?? '';
$domain = $parts[1] ?? '';
$len = strlen($name);
if ($len <= 2) {
$maskedEmail = substr($name, 0, 1).'*'.'@'.$domain;
} else {
$maskedEmail = substr($name, 0, 1).str_repeat('*', $len - 2).substr($name, -1).'@'.$domain;
}
}
return response()->json([
'status' => 'success',
'username' => $user->username,
'has_email' => $hasEmail,
'has_wechat' => $hasWechat,
'masked_email' => $maskedEmail,
]);
}
/**
* 发送邮箱找回密码链接。
*/
@@ -49,7 +108,49 @@ class PasswordResetController extends Controller
], 403);
}
$email = trim((string) $request->string('email'));
$inputEmail = trim((string) $request->input('email', ''));
$username = trim((string) $request->input('username', ''));
$ip = $request->ip();
$user = User::query()->where('username', $username)->first();
if (! $user || empty($user->email)) {
return response()->json([
'status' => 'error',
'message' => '找不到绑定了邮箱的账号。',
], 422);
}
// 强行双向比对核对(忽略大小写和前后空白)
if (strcasecmp($user->email, $inputEmail) !== 0) {
return response()->json([
'status' => 'error',
'message' => '输入的完整邮箱地址与该账号绑定的邮箱不一致,二次确认失败。',
], 422);
}
$email = $user->email;
// 1. IP 级别发信限流:限制单个 IP 每分钟最多请求 2 次
$ipKey = 'pw-email:ip:'.$ip;
if (RateLimiter::tooManyAttempts($ipKey, 2)) {
$seconds = RateLimiter::availableIn($ipKey);
return response()->json([
'status' => 'error',
'message' => "发送验证链接过于频繁,请在 {$seconds} 秒后重试。",
], 429);
}
// 2. 账号邮箱级别冷却锁:同一个邮箱每 3 分钟限发 1 次,防止狂刷邮件轰炸他人
$targetKey = 'pw-email:target:'.md5($email);
if (RateLimiter::tooManyAttempts($targetKey, 1)) {
$seconds = RateLimiter::availableIn($targetKey);
return response()->json([
'status' => 'error',
'message' => "该账号申请重置链接过于频繁,请在 {$seconds} 秒后重试。",
], 429);
}
// 邮箱找回必须保证一邮一号,否则重置目标会产生歧义。
if (User::query()->where('email', $email)->count() > 1) {
@@ -59,6 +160,10 @@ class PasswordResetController extends Controller
], 422);
}
// 记录发信请求频率
RateLimiter::hit($ipKey, 60);
RateLimiter::hit($targetKey, 180);
$status = Password::sendResetLink(['email' => $email]);
if ($status === Password::RESET_LINK_SENT) {
@@ -32,6 +32,7 @@ class SendPasswordResetLinkRequest extends FormRequest
{
return [
'email' => ['required', 'email', 'max:255'],
'username' => ['required', 'string', 'max:100'],
];
}
@@ -43,9 +44,10 @@ class SendPasswordResetLinkRequest extends FormRequest
public function messages(): array
{
return [
'email.required' => '请输入绑定账号的邮箱地址。',
'email.required' => '请输入绑定邮箱地址以进行二次确认。',
'email.email' => '邮箱格式不正确,请重新输入。',
'email.max' => '邮箱长度不能超过 255 个字符。',
'username.required' => '用户昵称参数缺失。',
];
}
}
+16
View File
@@ -139,4 +139,20 @@ class Room extends Model
|| $user->username === $this->master
|| $user->user_level >= $superLevel;
}
/**
* 模型的 booted 方法。
*
* 在房间被更新或删除时,同步清理 Redis 上的 Presence Channel 鉴权缓存。
*/
protected static function booted(): void
{
static::saved(function (Room $room) {
\Illuminate\Support\Facades\Cache::forget("room:meta:{$room->id}");
});
static::deleted(function (Room $room) {
\Illuminate\Support\Facades\Cache::forget("room:meta:{$room->id}");
});
}
}
+66 -7
View File
@@ -20,6 +20,35 @@ class MessageFilterService
'外挂', '刷单', '脚本', // 示例黑名单
];
/**
* Trie 字典树实例,用于 DFA 过滤
*/
private ?array $trie = null;
/**
* 构建 Trie 字典树
*/
private function buildTrie(): void
{
if ($this->trie !== null) {
return;
}
$this->trie = [];
foreach ($this->badWords as $word) {
$temp = &$this->trie;
$len = mb_strlen($word);
for ($i = 0; $i < $len; $i++) {
$char = mb_substr($word, $i, 1);
if (! isset($temp[$char])) {
$temp[$char] = [];
}
$temp = &$temp[$char];
}
$temp['is_end'] = true;
}
}
/**
* 执行过滤净化,保障入库和显示安全。
*
@@ -35,16 +64,46 @@ class MessageFilterService
// 1. HTML 标签全量脱除,阻绝任意 XSS/HTML 注入
$content = strip_tags($content);
// 2. 敏感词替换
foreach ($this->badWords as $word) {
if (mb_strpos($content, $word) !== false) {
// 将脏字替换为相同长度的 星号 或 提示
$replacement = str_repeat('*', mb_strlen($word));
$content = str_replace($word, $replacement, $content);
// 2. 惰性初始化并构建 DFA 字典树
$this->buildTrie();
// 3. 将字符串转为多字节字符数组,进行 DFA 扫描与替换
$len = mb_strlen($content);
$chars = [];
for ($i = 0; $i < $len; $i++) {
$chars[] = mb_substr($content, $i, 1);
}
$result = [];
$i = 0;
while ($i < $len) {
$temp = &$this->trie;
$matchLength = 0;
$j = $i;
while ($j < $len && isset($temp[$chars[$j]])) {
$temp = &$temp[$chars[$j]];
if (isset($temp['is_end']) && $temp['is_end'] === true) {
$matchLength = $j - $i + 1; // 匹配到最长敏感词
}
$j++;
}
if ($matchLength > 0) {
// 替换为相同长度的 *
for ($k = 0; $k < $matchLength; $k++) {
$result[] = '*';
}
$i += $matchLength; // 跳过敏感词
} else {
$result[] = $chars[$i];
$i++;
}
}
// 3. 将连续的空格去重,只保留一个真正的空格
$content = implode('', $result);
// 4. 将连续的空格去重,只保留一个真正的空格
$content = preg_replace('/\s+/', ' ', $content);
return trim($content);
+19 -7
View File
@@ -65,21 +65,30 @@ class UserCurrencyService
}
DB::transaction(function () use ($user, $currency, $amount, $source, $remark, $roomId, $field) {
// 原子性更新用户属性(用 increment/decrement 防并发竞态
// 原子性更新用户属性(用 lockForUpdate 悲观锁锁定对应的数据库行
$lockedUser = User::query()
->whereKey($user->id)
->lockForUpdate()
->firstOrFail();
if ($amount > 0) {
$user->increment($field, $amount);
$lockedUser->increment($field, $amount);
} else {
// 扣除时不让余额低于 0
$user->decrement($field, min(abs($amount), $user->$field ?? 0));
// 扣除时不让余额低于 0,基于锁定的最新数据计算
$currentBalance = (int) $lockedUser->$field;
$deductAmount = min(abs($amount), $currentBalance);
if ($deductAmount > 0) {
$lockedUser->decrement($field, $deductAmount);
}
}
// 重新读取最新余额(避免缓存脏数据)
$balanceAfter = (int) $user->fresh()->$field;
$balanceAfter = (int) $lockedUser->fresh()->$field;
// 写入流水记录(快照当前用户名,排行 JOIN 时再取最新名)
UserCurrencyLog::create([
'user_id' => $user->id,
'username' => $user->username,
'user_id' => $lockedUser->id,
'username' => $lockedUser->username,
'currency' => $currency,
'amount' => $amount,
'balance_after' => $balanceAfter,
@@ -87,6 +96,9 @@ class UserCurrencyService
'remark' => $remark,
'room_id' => $roomId,
]);
// 同步修改内存中 $user 的实例属性,避免后续逻辑拿到过期的数据
$user->setAttribute($field, $balanceAfter);
});
}
+3
View File
@@ -14,11 +14,14 @@
"intervention/image": "^3.11",
"laravel/framework": "^12.0",
"laravel/horizon": "^5.45",
"laravel/octane": "^2.17",
"laravel/reverb": "^1.8",
"laravel/tinker": "^2.10.1",
"longlang/phpkafka": "^1.2",
"mews/captcha": "^3.4",
"predis/predis": "^3.4",
"spiral/roadrunner-cli": "^2.6.0",
"spiral/roadrunner-http": "^3.3.0",
"stevebauman/location": "^7.6",
"zoujingli/ip2region": "^3.0"
},
Generated
+1626 -157
View File
File diff suppressed because it is too large Load Diff
+224
View File
@@ -0,0 +1,224 @@
<?php
use Laravel\Octane\Contracts\OperationTerminated;
use Laravel\Octane\Events\RequestHandled;
use Laravel\Octane\Events\RequestReceived;
use Laravel\Octane\Events\RequestTerminated;
use Laravel\Octane\Events\TaskReceived;
use Laravel\Octane\Events\TaskTerminated;
use Laravel\Octane\Events\TickReceived;
use Laravel\Octane\Events\TickTerminated;
use Laravel\Octane\Events\WorkerErrorOccurred;
use Laravel\Octane\Events\WorkerStarting;
use Laravel\Octane\Events\WorkerStopping;
use Laravel\Octane\Listeners\CloseMonologHandlers;
use Laravel\Octane\Listeners\CollectGarbage;
use Laravel\Octane\Listeners\DisconnectFromDatabases;
use Laravel\Octane\Listeners\EnsureUploadedFilesAreValid;
use Laravel\Octane\Listeners\EnsureUploadedFilesCanBeMoved;
use Laravel\Octane\Listeners\FlushOnce;
use Laravel\Octane\Listeners\FlushTemporaryContainerInstances;
use Laravel\Octane\Listeners\FlushUploadedFiles;
use Laravel\Octane\Listeners\ReportException;
use Laravel\Octane\Listeners\StopWorkerIfNecessary;
use Laravel\Octane\Octane;
return [
/*
|--------------------------------------------------------------------------
| Octane Server
|--------------------------------------------------------------------------
|
| This value determines the default "server" that will be used by Octane
| when starting, restarting, or stopping your server via the CLI. You
| are free to change this to the supported server of your choosing.
|
| Supported: "roadrunner", "swoole", "frankenphp"
|
*/
'server' => env('OCTANE_SERVER', 'roadrunner'),
/*
|--------------------------------------------------------------------------
| Force HTTPS
|--------------------------------------------------------------------------
|
| When this configuration value is set to "true", Octane will inform the
| framework that all absolute links must be generated using the HTTPS
| protocol. Otherwise your links may be generated using plain HTTP.
|
*/
'https' => env('OCTANE_HTTPS', false),
/*
|--------------------------------------------------------------------------
| Octane Listeners
|--------------------------------------------------------------------------
|
| All of the event listeners for Octane's events are defined below. These
| listeners are responsible for resetting your application's state for
| the next request. You may even add your own listeners to the list.
|
*/
'listeners' => [
WorkerStarting::class => [
EnsureUploadedFilesAreValid::class,
EnsureUploadedFilesCanBeMoved::class,
],
RequestReceived::class => [
...Octane::prepareApplicationForNextOperation(),
...Octane::prepareApplicationForNextRequest(),
//
],
RequestHandled::class => [
//
],
RequestTerminated::class => [
// FlushUploadedFiles::class,
],
TaskReceived::class => [
...Octane::prepareApplicationForNextOperation(),
//
],
TaskTerminated::class => [
//
],
TickReceived::class => [
...Octane::prepareApplicationForNextOperation(),
//
],
TickTerminated::class => [
//
],
OperationTerminated::class => [
FlushOnce::class,
FlushTemporaryContainerInstances::class,
// DisconnectFromDatabases::class,
// CollectGarbage::class,
],
WorkerErrorOccurred::class => [
ReportException::class,
StopWorkerIfNecessary::class,
],
WorkerStopping::class => [
CloseMonologHandlers::class,
],
],
/*
|--------------------------------------------------------------------------
| Warm / Flush Bindings
|--------------------------------------------------------------------------
|
| The bindings listed below will either be pre-warmed when a worker boots
| or they will be flushed before every new request. Flushing a binding
| will force the container to resolve that binding again when asked.
|
*/
'warm' => [
...Octane::defaultServicesToWarm(),
],
'flush' => [
//
],
/*
|--------------------------------------------------------------------------
| Octane Swoole Tables
|--------------------------------------------------------------------------
|
| While using Swoole, you may define additional tables as required by the
| application. These tables can be used to store data that needs to be
| quickly accessed by other workers on the particular Swoole server.
|
*/
'tables' => [
'example:1000' => [
'name' => 'string:1000',
'votes' => 'int',
],
],
/*
|--------------------------------------------------------------------------
| Octane Swoole Cache Table
|--------------------------------------------------------------------------
|
| While using Swoole, you may leverage the Octane cache, which is powered
| by a Swoole table. You may set the maximum number of rows as well as
| the number of bytes per row using the configuration options below.
|
*/
'cache' => [
'rows' => 1000,
'bytes' => 10000,
],
/*
|--------------------------------------------------------------------------
| File Watching
|--------------------------------------------------------------------------
|
| The following list of files and directories will be watched when using
| the --watch option offered by Octane. If any of the directories and
| files are changed, Octane will automatically reload your workers.
|
*/
'watch' => [
'app',
'bootstrap',
'config/**/*.php',
'database/**/*.php',
'public/**/*.php',
'resources/**/*.php',
'routes',
'composer.lock',
'.env',
],
/*
|--------------------------------------------------------------------------
| Garbage Collection Threshold
|--------------------------------------------------------------------------
|
| When executing long-lived PHP scripts such as Octane, memory can build
| up before being cleared by PHP. You can force Octane to run garbage
| collection if your application consumes this amount of megabytes.
|
*/
'garbage' => 50,
/*
|--------------------------------------------------------------------------
| Maximum Execution Time
|--------------------------------------------------------------------------
|
| The following setting configures the maximum execution time for requests
| being handled by Octane. You may set this value to 0 to indicate that
| there isn't a specific time limit on Octane request execution time.
|
*/
'max_execution_time' => 30,
];
@@ -0,0 +1,37 @@
<?php
/**
* 文件功能:为消息表(messages)添加 (room_id, sent_at) 联合复合索引
* 解决拉取房间聊天历史消息时的 Slow Query 瓶颈
*
* @author ChatRoom Laravel
* @version 1.0.0
*/
use Illuminate\Database\Migrations\Migration;
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Support\Facades\Schema;
return new class extends Migration
{
/**
* 执行迁移,添加联合索引
*/
public function up(): void
{
Schema::table('messages', function (Blueprint $table) {
// 添加复合索引 idx_room_sent_at
$table->index(['room_id', 'sent_at'], 'idx_room_sent_at');
});
}
/**
* 回滚迁移,删除联合索引
*/
public function down(): void
{
Schema::table('messages', function (Blueprint $table) {
$table->dropIndex('idx_room_sent_at');
});
}
};
+23 -12
View File
@@ -26,16 +26,23 @@ map $http_upgrade $connection_upgrade {
# 建议放在 #REWRITE-END 之后,禁止访问敏感文件之前
# ═══════════════════════════════════════════════════════════
# ── Laravel 伪静态规则 ──────────────────────────────────
# 如果宝塔的伪静态配置文件 rewrite/chat.ay.lc.conf 为空,
# 请在宝塔面板 → 网站 → 伪静态 中选择 "laravel5"
# 或者直接在 rewrite/chat.ay.lc.conf 中写入以下内容:
#
# location / {
# try_files $uri $uri/ /index.php?$query_string;
# }
# ── 1. 静态资源优先由 Nginx 直接响应,动态请求分流给 Octane ──
location / {
try_files $uri $uri/ @octane;
}
# ── Vite 静态资源缓存(文件名带 hash,可安全长期缓存)────────────
# ── 2. API、心跳等动态请求反向代理到本地 8000 端口 (Octane / Roadrunner) ──
location @octane {
proxy_set_header Host $http_host;
proxy_set_header Scheme $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8000;
}
# ── 3. Vite 静态资源缓存(文件名带 hash,可安全长期缓存)────────────
location ^~ /build/assets/ {
access_log off;
expires 1y;
@@ -43,7 +50,7 @@ map $http_upgrade $connection_upgrade {
try_files $uri =404;
}
# ── 常规静态资源缓存(不带 hash,保守缓存 7 天)───────────────
# ── 4. 常规静态资源缓存(不带 hash,保守缓存 7 天)───────────────
location ~* \.(?:css|js|mjs|png|jpg|jpeg|gif|webp|svg|ico|woff2?|ttf|eot)$ {
access_log off;
expires 7d;
@@ -77,7 +84,11 @@ map $http_upgrade $connection_upgrade {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# 避坑提示:某些宝塔环境全局未配置 $connection_upgrade 变量,
# 直接写死 "Upgrade" 能 100% 避免 500 代理握手失败。
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -95,7 +106,7 @@ map $http_upgrade $connection_upgrade {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+31
View File
@@ -7,6 +7,7 @@
"devDependencies": {
"@tailwindcss/vite": "^4.0.0",
"axios": "^1.11.0",
"chokidar": "^5.0.0",
"concurrently": "^9.0.1",
"laravel-echo": "^2.3.0",
"laravel-vite-plugin": "^2.0.0",
@@ -1233,6 +1234,22 @@
"node": ">=8"
}
},
"node_modules/chokidar": {
"version": "5.0.0",
"resolved": "https://registry.npmjs.org/chokidar/-/chokidar-5.0.0.tgz",
"integrity": "sha512-TQMmc3w+5AxjpL8iIiwebF73dRDF4fBIieAqGn9RGCWaEVwQ6Fb2cGe31Yns0RRIzii5goJ1Y7xbMwo1TxMplw==",
"dev": true,
"license": "MIT",
"dependencies": {
"readdirp": "^5.0.0"
},
"engines": {
"node": ">= 20.19.0"
},
"funding": {
"url": "https://paulmillr.com/funding/"
}
},
"node_modules/cliui": {
"version": "8.0.1",
"resolved": "https://registry.npmmirror.com/cliui/-/cliui-8.0.1.tgz",
@@ -2161,6 +2178,20 @@
"tweetnacl": "^1.0.3"
}
},
"node_modules/readdirp": {
"version": "5.0.0",
"resolved": "https://registry.npmjs.org/readdirp/-/readdirp-5.0.0.tgz",
"integrity": "sha512-9u/XQ1pvrQtYyMpZe7DXKv2p5CNvyVwzUB6uhLAnQwHMSgKMBR62lc7AHljaeteeHXn11XTAaLLUVZYVZyuRBQ==",
"dev": true,
"license": "MIT",
"engines": {
"node": ">= 20.19.0"
},
"funding": {
"type": "individual",
"url": "https://paulmillr.com/funding/"
}
},
"node_modules/require-directory": {
"version": "2.1.1",
"resolved": "https://registry.npmmirror.com/require-directory/-/require-directory-2.1.1.tgz",
+1
View File
@@ -9,6 +9,7 @@
"devDependencies": {
"@tailwindcss/vite": "^4.0.0",
"axios": "^1.11.0",
"chokidar": "^5.0.0",
"concurrently": "^9.0.1",
"laravel-echo": "^2.3.0",
"laravel-vite-plugin": "^2.0.0",
+12 -4
View File
@@ -797,10 +797,18 @@ export function appendMessage(msg, renderBatch = null) {
let parsedContent = parseBracketUsers(msg.content);
html = `${headImg}<span style="font-weight: bold;">${clickableUser(msg.from_user, fontColor, nameClass)}</span><span class="msg-content${textColorClass}" style="color: ${fontColor}; font-weight: bold;">${parsedContent}</span>`;
} else {
div.style.cssText =
"background: #fffbeb; border-left: 3px solid #d97706; border-radius: 4px; padding: 4px 10px; margin: 2px 0;";
let sysTranContent = parseBracketUsers(msg.content);
html = `<span style="color: #b45309;">🌟 ${sysTranContent}</span>`;
const isWarning = (msg.content || "").includes("警告");
if (isWarning) {
div.style.cssText =
"background: #fef2f2; border-left: 4px solid #ef4444; border-radius: 4px; padding: 4px 10px; margin: 2px 0;";
let sysTranContent = parseBracketUsers(msg.content, "#dc2626");
html = `<span style="color: #dc2626; font-weight: 800; font-size: 1.15em;">🌟 ${sysTranContent}</span>`;
} else {
div.style.cssText =
"background: #fffbeb; border-left: 3px solid #d97706; border-radius: 4px; padding: 4px 10px; margin: 2px 0;";
let sysTranContent = parseBracketUsers(msg.content);
html = `<span style="color: #b45309;">🌟 ${sysTranContent}</span>`;
}
}
} else if (resolveGameNotificationCardMeta(msg)) {
html = buildSystemGameNotificationHtml(msg, timeStr);
+247 -26
View File
@@ -1,6 +1,7 @@
// 邮箱找回密码页交互入口,负责 AJAX 发送重置链接和页面提示。
// 忘记密码页交互逻辑:智能账号检测与分流引导
let passwordForgotControlsBound = false;
let currentUsername = "";
/**
* 读取 CSRF 令牌,供找回密码请求使用。
@@ -11,6 +12,19 @@ function getCsrfToken() {
return document.querySelector('meta[name="csrf-token"]')?.getAttribute("content") ?? "";
}
/**
* 获取当前应当使用的局部消息框元素。
*
* @returns {HTMLDivElement|null}
*/
function getActiveAlertBox() {
const stepDetect = document.getElementById("step-detect");
if (stepDetect && stepDetect.style.display !== "none") {
return document.getElementById("alert-detect");
}
return document.getElementById("alert-email");
}
/**
* 展示找回密码页面提示。
*
@@ -19,7 +33,7 @@ function getCsrfToken() {
* @returns {void}
*/
function showAlert(message, type) {
const alertBox = document.getElementById("alert-box");
const alertBox = getActiveAlertBox();
if (!alertBox) {
return;
}
@@ -27,36 +41,83 @@ function showAlert(message, type) {
alertBox.textContent = message;
alertBox.className = type === "success" ? "alert alert-success" : "alert alert-error";
alertBox.style.display = "block";
// 平滑滚动提示框到可视区域
alertBox.scrollIntoView({ behavior: "smooth", block: "nearest" });
}
/**
* 提交邮箱找回密码请求
* 隐藏找回密码页面提示
*
* @returns {void}
*/
function hideAlert() {
const alertDetect = document.getElementById("alert-detect");
const alertEmail = document.getElementById("alert-email");
if (alertDetect) {
alertDetect.style.display = "none";
}
if (alertEmail) {
alertEmail.style.display = "none";
}
}
/**
* 绑定双绑定状态下的选项卡切换事件。
*
* @returns {void}
*/
function bindTabEvents() {
const tabsContainer = document.getElementById("channel-tabs");
if (!tabsContainer) {
return;
}
tabsContainer.addEventListener("click", (event) => {
const btn = event.target.closest(".tab-btn");
if (!btn) {
return;
}
// 清除所有高亮
tabsContainer.querySelectorAll(".tab-btn").forEach((b) => b.classList.remove("active"));
btn.classList.add("active");
// 切换显示面板
const targetId = btn.getAttribute("data-target");
document.querySelectorAll(".channel-pane").forEach((pane) => {
if (pane.id === targetId) {
pane.style.display = "block";
} else {
pane.style.display = "none";
}
});
});
}
/**
* 第一步:提交昵称检测账号绑定状态。
*
* @param {SubmitEvent} event
* @returns {Promise<void>}
*/
async function submitPasswordRecovery(event) {
async function submitAccountDetect(event) {
event.preventDefault();
const form = event.target;
const submitButton = document.getElementById("submit-btn");
const alertBox = document.getElementById("alert-box");
const detectBtn = document.getElementById("detect-btn");
if (!(form instanceof HTMLFormElement)) {
return;
}
if (submitButton instanceof HTMLButtonElement) {
submitButton.disabled = true;
submitButton.innerText = "发送中...";
}
if (alertBox) {
alertBox.style.display = "none";
if (detectBtn instanceof HTMLButtonElement) {
detectBtn.disabled = true;
detectBtn.innerText = "账号检索中...";
}
hideAlert();
try {
const response = await fetch(form.getAttribute("data-password-email-url") ?? form.action, {
const response = await fetch(form.action, {
method: "POST",
credentials: "same-origin",
headers: {
"Content-Type": "application/json",
"X-CSRF-TOKEN": getCsrfToken(),
@@ -66,26 +127,169 @@ async function submitPasswordRecovery(event) {
});
const body = await response.json();
if (response.status === 200 && body.status === "success") {
showAlert(body.message, "success");
form.reset();
if (response.status === 429) {
showAlert(body.message || "请求过于频繁,请稍后再试。", "error");
return;
}
const errorMessage = body.message || (body.errors ? Object.values(body.errors)[0][0] : "邮件发送失败,请稍后重试。");
showAlert(errorMessage, "error");
if (body.status === "not_found") {
showAlert(body.message, "error");
return;
}
if (body.status === "success") {
currentUsername = body.username;
document.getElementById("step-detect").style.display = "none";
document.getElementById("step-result").style.display = "block";
document.getElementById("recovery-title").innerText = "密码找回建议";
document.getElementById("forgot-footer").style.display = "none";
const summary = document.getElementById("detect-summary");
const tabs = document.getElementById("channel-tabs");
const panelWechat = document.getElementById("panel-wechat");
const panelEmail = document.getElementById("panel-email");
const panelNone = document.getElementById("panel-none");
// 默认隐藏所有特定面板
tabs.style.display = "none";
panelWechat.style.display = "none";
panelEmail.style.display = "none";
panelNone.style.display = "none";
const hasEmail = body.has_email;
const hasWechat = body.has_wechat;
const hintLabel = document.getElementById("masked-email-hint");
const emailInput = document.getElementById("email");
if (hasEmail && hasWechat) {
summary.innerHTML = `检测到账号 <strong style="color:var(--gold);">${currentUsername}</strong> 已同时绑定了微信和邮箱。您可以选择以下任意一种方式找回密码:`;
tabs.style.display = "grid";
// 默认选中微信面板
tabs.querySelectorAll(".tab-btn").forEach((b) => b.classList.remove("active"));
const wechatTabBtn = tabs.querySelector('[data-target="panel-wechat"]');
if (wechatTabBtn) {
wechatTabBtn.classList.add("active");
}
panelWechat.style.display = "block";
if (hintLabel) {
hintLabel.innerHTML = `📬 绑定的邮箱提示:<span style="color:#fff;">${body.masked_email}</span>`;
}
if (emailInput instanceof HTMLInputElement) {
emailInput.value = "";
}
} else if (hasWechat) {
summary.innerHTML = `检测到账号 <strong style="color:var(--gold);">${currentUsername}</strong> 仅绑定了微信。系统不支持邮箱找回,建议您使用微信助手进行重置:`;
panelWechat.style.display = "block";
} else if (hasEmail) {
summary.innerHTML = `检测到账号 <strong style="color:var(--gold);">${currentUsername}</strong> 仅绑定了邮箱。建议您使用邮箱发送重置链接找回:`;
panelEmail.style.display = "block";
if (hintLabel) {
hintLabel.innerHTML = `📬 绑定的邮箱提示:<span style="color:#fff;">${body.masked_email}</span>`;
}
if (emailInput instanceof HTMLInputElement) {
emailInput.value = "";
}
} else {
summary.innerHTML = `检测到账号 <strong style="color:var(--gold);">${currentUsername}</strong> 尚未绑定微信或邮箱找回途径:`;
panelNone.style.display = "block";
}
}
} catch {
showAlert("网络或服务器异常,请稍后再试。", "error");
showAlert("网络或服务器连接异常,请稍后再试。", "error");
} finally {
if (submitButton instanceof HTMLButtonElement) {
submitButton.disabled = false;
submitButton.innerText = "发送重置邮件";
if (detectBtn instanceof HTMLButtonElement) {
detectBtn.disabled = false;
detectBtn.innerText = "下一步 (检测账号)";
}
}
}
/**
* 绑定邮箱找回密码页提交事件
* 第二步:提交发送重置链接邮件请求
*
* @param {SubmitEvent} event
* @returns {Promise<void>}
*/
async function submitPasswordRecovery(event) {
event.preventDefault();
const form = event.target;
const submitButton = document.getElementById("submit-btn");
if (!(form instanceof HTMLFormElement)) {
return;
}
if (submitButton instanceof HTMLButtonElement) {
submitButton.disabled = true;
submitButton.innerText = "发送重置链接中...";
}
hideAlert();
let isSentSuccess = false;
try {
const emailInput = document.getElementById("email");
const emailVal = emailInput instanceof HTMLInputElement ? emailInput.value.trim() : "";
const response = await fetch(form.getAttribute("data-password-email-url") ?? "", {
method: "POST",
headers: {
"Content-Type": "application/json",
"X-CSRF-TOKEN": getCsrfToken(),
Accept: "application/json",
},
body: JSON.stringify({
username: currentUsername,
email: emailVal,
}),
});
const body = await response.json();
if (response.status === 429) {
showAlert(body.message || "请求发送过于频繁,请稍后再试。", "error");
return;
}
if (body.status === "success") {
showAlert(body.message, "success");
isSentSuccess = true;
return;
}
const errorMessage = body.message || (body.errors ? Object.values(body.errors)[0][0] : "重置邮件发送失败,请稍后重试。");
showAlert(errorMessage, "error");
} catch {
showAlert("网络发送异常,请稍后再试。", "error");
} finally {
if (submitButton instanceof HTMLButtonElement) {
if (isSentSuccess) {
// 成功时启动 30 秒置灰倒计时锁定
let seconds = 30;
submitButton.disabled = true;
submitButton.innerText = `${seconds}秒内不能重复发送`;
const timer = setInterval(() => {
seconds--;
if (seconds <= 0) {
clearInterval(timer);
submitButton.disabled = false;
submitButton.innerText = "二次验证并发送重置邮件";
} else {
submitButton.innerText = `${seconds}秒内不能重复发送`;
}
}, 1000);
} else {
// 校验失败,立刻解除禁用供重新编辑
submitButton.disabled = false;
submitButton.innerText = "二次验证并发送重置邮件";
}
}
}
}
/**
* 绑定智能找回向导控制事件。
*
* @returns {void}
*/
@@ -93,11 +297,28 @@ function bindPasswordForgotControls() {
if (passwordForgotControlsBound || typeof document === "undefined") {
return;
}
passwordForgotControlsBound = true;
// 第一步表单提交
document.getElementById("account-detect-form")?.addEventListener("submit", (event) => {
void submitAccountDetect(event);
});
// 第二步发信表单提交
document.getElementById("password-recovery-form")?.addEventListener("submit", (event) => {
void submitPasswordRecovery(event);
});
// 返回按钮事件
document.getElementById("back-detect-btn")?.addEventListener("click", () => {
hideAlert();
document.getElementById("step-detect").style.display = "block";
document.getElementById("step-result").style.display = "none";
document.getElementById("recovery-title").innerText = "忘记密码";
document.getElementById("forgot-footer").style.display = "block";
});
bindTabEvents();
}
bindPasswordForgotControls();
+55
View File
@@ -285,6 +285,61 @@
</div>
</div>
{{-- ═══════════ 账号安全绑定强引导(邮箱/微信二选一) ═══════════ --}}
@if (empty(Auth::user()->email) && empty(Auth::user()->wxid))
<div id="security-bind-modal" style="display: none; position: fixed; inset: 0; background: rgba(15, 23, 42, 0.85); backdrop-filter: blur(5px); z-index: 20000; align-items: center; justify-content: center; padding: 20px;">
<div style="background: #1e293b; border: 2px solid #c6a35b; border-radius: 8px; max-width: 440px; width: 100%; padding: 24px; box-shadow: 0 10px 30px rgba(0,0,0,0.6); position: relative; color: #f8fafc; text-align: left;">
<h3 style="font-family: 'Noto Serif SC', serif; font-size: 18px; color: #c6a35b; margin-top: 0; margin-bottom: 14px; display: flex; align-items: center; gap: 8px;">
🛡️ 账号安全绑定提醒
</h3>
<p style="font-size: 13.5px; line-height: 1.6; color: #cbd5e1; margin-bottom: 22px;">
检测到您的账号<strong>尚未设置邮箱</strong>,也<strong>未绑定微信</strong><br>
为了在您遗忘密码时能够自主找回,建议您至少绑定其中一项。您可前往设置录入邮箱,或者<strong>扫码添加并私聊我们的微信助手【小小】完成绑定</strong>
</p>
<div style="display: flex; flex-direction: column; gap: 10px;">
<button onclick="openSecuritySettings()" style="height: 42px; background: linear-gradient(90deg, #8d342d, #b91c1c); color: #fff; border: none; border-radius: 4px; font-weight: bold; cursor: pointer; font-size: 13.5px; transition: opacity 0.2s;">
立即前往设置(查看微信小小二维码)
</button>
<button onclick="closeSecurityBindModal()" style="height: 38px; background: transparent; color: #94a3b8; border: 1px solid #475569; border-radius: 4px; cursor: pointer; font-size: 12.5px; transition: background 0.2s;">
暂不设置,以后再说
</button>
</div>
</div>
</div>
<script>
document.addEventListener('DOMContentLoaded', function () {
// 本次浏览器标签页会话期间仅强提醒一次,防止频繁刷新/切房骚扰
if (!sessionStorage.getItem('security_bind_notified')) {
const modal = document.getElementById('security-bind-modal');
if (modal) {
modal.style.display = 'flex';
sessionStorage.setItem('security_bind_notified', '1');
}
}
});
function openSecuritySettings() {
closeSecurityBindModal();
// 优先通过系统全局包装函数打开,触发延迟分包加载与事件绑定交互
if (typeof window.openSettingsModal === 'function') {
window.openSettingsModal();
} else {
const settingsModal = document.getElementById('settings-modal');
if (settingsModal) {
settingsModal.style.display = 'flex';
}
}
}
function closeSecurityBindModal() {
const modal = document.getElementById('security-bind-modal');
if (modal) {
modal.style.display = 'none';
}
}
</script>
@endif
</body>
</html>
+8
View File
@@ -91,6 +91,10 @@
class="text-indigo-200 hover:text-white font-bold flex items-center transition hidden sm:flex">
大厅
</a>
<a href="{{ route('baccarat.history-page') }}"
class="text-red-400 hover:text-red-300 font-bold flex items-center transition hidden sm:flex {{ request()->routeIs('baccarat.*') ? 'text-red-200 underline underline-offset-4' : '' }}">
🎲 百家乐
</a>
<a href="{{ route('invite.leaderboard') }}"
class="text-rose-400 hover:text-rose-300 font-bold flex items-center transition hidden sm:flex {{ request()->routeIs('invite.leaderboard') ? 'text-rose-200 underline underline-offset-4' : '' }}">
邀请排行
@@ -176,6 +180,10 @@
class="px-4 py-2.5 text-indigo-100 hover:bg-indigo-700 hover:text-white font-medium border-l-4 {{ request()->routeIs('rooms.index') ? 'border-indigo-400 bg-indigo-700/50' : 'border-transparent' }}">
大厅
</a>
<a href="{{ route('baccarat.history-page') }}"
class="px-4 py-2.5 text-red-300 hover:bg-indigo-700 hover:text-red-200 font-medium border-l-4 {{ request()->routeIs('baccarat.*') ? 'border-red-400 bg-indigo-700/50' : 'border-transparent' }}">
🎲 百家乐
</a>
<a href="{{ route('invite.leaderboard') }}"
class="px-4 py-2.5 text-rose-300 hover:bg-indigo-700 hover:text-rose-200 font-medium border-l-4 {{ request()->routeIs('invite.leaderboard') ? 'border-rose-400 bg-indigo-700/50' : 'border-transparent' }}">
邀请排行
+184 -26
View File
@@ -182,6 +182,101 @@
line-height: 1.7;
}
/* ── 智能引导 Tab 及微信向导样式 ── */
.tabs {
display: grid;
grid-template-columns: 1fr 1fr;
gap: 2px;
margin-bottom: 20px;
border: 1px solid var(--border);
background: rgba(255, 248, 236, 0.02);
padding: 2px;
}
.tab-btn {
height: 46px;
background: transparent;
border: none;
color: var(--text-soft);
font-size: 14px;
font-weight: 500;
cursor: pointer;
transition: all 0.2s ease;
font-family: inherit;
}
.tab-btn:hover {
color: var(--text);
background: rgba(255, 255, 255, 0.02);
}
.tab-btn.active {
color: var(--gold);
background: rgba(198, 163, 91, 0.08);
font-weight: 700;
}
.wechat-guide {
display: flex;
flex-direction: column;
gap: 12px;
margin-bottom: 18px;
}
.guide-step {
display: flex;
align-items: flex-start;
gap: 12px;
background: rgba(255, 248, 236, 0.02);
border: 1px solid rgba(198, 163, 91, 0.08);
padding: 12px 14px;
}
.step-num {
width: 22px;
height: 22px;
background: var(--gold);
color: var(--bg);
border-radius: 50%;
display: flex;
align-items: center;
justify-content: center;
font-weight: 900;
font-size: 12px;
flex-shrink: 0;
box-shadow: 0 0 10px rgba(198, 163, 91, 0.2);
}
.step-desc {
font-size: 13.5px;
line-height: 1.6;
color: var(--text-soft);
}
.step-desc strong {
color: var(--text);
}
.cmd-badge {
display: inline-block;
padding: 2px 8px;
background: var(--red);
color: #fff;
font-weight: 700;
font-size: 12px;
border-radius: 3px;
margin: 0 4px;
}
.wechat-tip {
border-left: 3px solid var(--gold);
background: rgba(198, 163, 91, 0.03);
padding: 12px;
font-size: 13px;
line-height: 1.6;
color: var(--text-soft);
}
@media (max-width: 640px) {
.content {
padding: 22px 18px 18px;
@@ -198,41 +293,104 @@
<main class="card">
<section class="content">
<div class="eyebrow">PASSWORD RECOVERY</div>
<h1>邮箱找回密码</h1>
<p class="lead">请输入账号已绑定的邮箱地址。系统会把重置密码链接发送到邮箱,您再进入独立页面设置新密码。</p>
<h1 id="recovery-title">忘记密码</h1>
<div id="alert-box" class="alert" aria-live="polite"></div>
<!-- ================== 步骤一:检测账号昵称 ================== -->
<div id="step-detect" class="step-panel">
<p class="lead">请输入您的聊天室用户昵称,小助手将智能查询并为您提供最安全的重置方案。</p>
<form id="account-detect-form" action="{{ route('password.check_account') }}">
<div id="alert-detect" class="alert" aria-live="polite"></div>
<label for="username">账号昵称</label>
<input
id="username"
name="username"
type="text"
maxlength="100"
placeholder="请输入您的聊天室账号昵称"
required
>
<div class="actions">
<button id="detect-btn" type="submit">下一步 (检测账号)</button>
<a class="ghost-link" href="{{ route('home') }}">返回首页</a>
</div>
</form>
</div>
<form id="password-recovery-form" data-password-email-url="{{ route('password.email') }}">
<label for="email">绑定邮箱</label>
<input
id="email"
name="email"
type="email"
maxlength="255"
placeholder="请输入账号绑定的邮箱地址"
autocomplete="email"
{{ $smtpEnabled ? '' : 'disabled' }}
required
>
<div class="tip">仅支持已绑定唯一邮箱的账号自助找回。重置链接默认 60 分钟内有效。</div>
<!-- ================== 步骤二:智能找回分流面板 ================== -->
<div id="step-result" class="step-panel" style="display: none;">
<!-- 渠道切换 Tab(仅在双绑定时可见) -->
<div id="channel-tabs" class="tabs" style="display: none;">
<button type="button" class="tab-btn active" data-target="panel-wechat">💬 微信找回 (推荐)</button>
<button type="button" class="tab-btn" data-target="panel-email">📧 邮箱找回</button>
</div>
<div class="actions">
<button id="submit-btn" type="submit" {{ $smtpEnabled ? '' : 'disabled' }}>发送重置邮件</button>
<!-- 结果提示横幅 -->
<p id="detect-summary" class="lead" style="margin-bottom: 15px; font-weight: 500;"></p>
<!-- 模块一:微信私聊重置指引 -->
<div id="panel-wechat" class="channel-pane" style="display: none;">
<div class="wechat-guide">
<div class="guide-step">
<div class="step-num">1</div>
<div class="step-desc">打开微信,进入与微信助手 <strong>【小小】</strong> 的私发消息窗口。</div>
</div>
<div class="guide-step">
<div class="step-num">2</div>
<div class="step-desc">在对话框中直接输入并发送重置口令:<span class="cmd-badge">重置密码</span></div>
</div>
<div class="guide-step">
<div class="step-num">3</div>
<div class="step-desc">微信小助手将即时为您自动生成 <strong>8位随机新密码</strong> 并直接通过微信回复您!</div>
</div>
</div>
<div class="wechat-tip">
⚠️ <strong>安全提示:</strong> 该操作直接经由微信私聊分发,密码不泄露在大厅公屏,请放心使用。
</div>
</div>
<!-- 模块二:邮箱重置发送表单 -->
<div id="panel-email" class="channel-pane" style="display: none;">
<!-- 脱敏提示标签 -->
<div id="masked-email-hint" style="margin-bottom: 14px; font-size: 13.5px; color: var(--gold); font-weight: bold; line-height: 1.6; padding: 10px; border: 1px dashed rgba(198,163,91,0.3); background: rgba(198,163,91,0.02);"></div>
<form id="password-recovery-form" data-password-email-url="{{ route('password.email') }}">
<div id="alert-email" class="alert" aria-live="polite"></div>
<label for="email">二次安全确认:请输入绑定的完整邮箱</label>
<input
id="email"
name="email"
type="email"
maxlength="255"
placeholder="请输入绑定的完整邮箱地址以进行二次确认"
autocomplete="off"
required
>
<div class="tip" style="margin-top: 10px; margin-bottom: 15px;">为保障安全,邮箱已作脱敏隐藏。请手动输入完全一致的完整绑定邮箱,否则无法发送重置链接。</div>
<button id="submit-btn" type="submit" style="width: 100%;" {{ $smtpEnabled ? '' : 'disabled' }}>二次验证并发送重置邮件</button>
</form>
</div>
<!-- 模块三:均未绑定提示(无法自助找回) -->
<div id="panel-none" class="channel-pane" style="display: none;">
<div class="wechat-tip" style="border-color: var(--danger); background: rgba(143, 46, 39, 0.08); color: #f5cbc7;">
<strong>无法自助找回:</strong><br>
由于您的账号既未绑定邮箱,也未绑定微信,系统无法验证您的持有权。请联系站长或管理员进行人工核验申诉重置。
</div>
</div>
<!-- 底部返回与重试操作 -->
<div class="actions" style="margin-top: 20px;">
<button id="back-detect-btn" type="button" class="ghost-link" style="color: var(--gold); border-color: rgba(198,163,91,0.4);">返回重新检测</button>
<a class="ghost-link" href="{{ route('home') }}">返回首页</a>
</div>
</form>
</div>
<div class="footer">
@if ($smtpEnabled)
找回成功后,请回到首页使用原昵称和新密码登录聊天室。
@else
当前系统尚未开启邮箱发信服务,暂时无法通过邮箱找回密码。
@endif
<div class="footer" id="forgot-footer">
找回密码成功后,请使用账号昵称和新重置的密码登录聊天室。
</div>
</section>
</main>
</body>
</html>
@@ -0,0 +1,239 @@
@extends('layouts.app')
@section('title', '百家乐开奖走势 - 飘落流星')
@section('head')
<style>
/* 珠盘路横向滚动条美化 */
.custom-scrollbar::-webkit-scrollbar {
height: 6px;
}
.custom-scrollbar::-webkit-scrollbar-thumb {
background-color: #4b5563;
border-radius: 9999px;
}
.custom-scrollbar::-webkit-scrollbar-track {
background-color: #1f2937;
border-radius: 9999px;
}
</style>
@endsection
@section('content')
<div class="bg-gray-950 min-h-screen text-gray-100 py-10 px-4 sm:px-6 lg:px-8">
<div class="max-w-7xl mx-auto">
{{-- 顶部标题与返回 --}}
<div class="mb-8 flex flex-col md:flex-row md:items-center md:justify-between border-b border-gray-800 pb-6 gap-4">
<div>
<h2 class="text-3xl font-extrabold tracking-tight text-white flex items-center gap-3">
<span class="text-4xl">🎲</span> 百家乐开奖走势
</h2>
<p class="mt-2 text-sm text-gray-400">公开频段历史百家乐开奖记录、点数分布以及最新珠盘路大趋势。</p>
</div>
<a href="{{ route('rooms.index') }}"
class="inline-flex items-center gap-2 px-4 py-2 border border-gray-700 bg-gray-900 text-gray-300 rounded-xl text-sm font-semibold hover:bg-gray-800 hover:text-white transition shadow-sm self-start">
&larr; 返回大厅
</a>
</div>
{{-- 统计指标卡片组 --}}
<div class="grid grid-cols-2 md:grid-cols-5 gap-4 mb-8">
<div class="bg-gray-900/60 backdrop-blur-md rounded-2xl border border-gray-800 p-5 shadow-lg">
<div class="text-3xl font-extrabold text-indigo-400 font-mono">{{ number_format($summary['total_rounds']) }}</div>
<div class="mt-2 text-xs text-gray-400 font-bold uppercase tracking-wider">历史总局数</div>
</div>
@php
$dist = $summary['result_dist'];
$total = max(1, $summary['total_rounds']);
$bigPercent = round((($dist['big'] ?? 0) / $total) * 100, 1);
$smallPercent = round((($dist['small'] ?? 0) / $total) * 100, 1);
$triplePercent = round((($dist['triple'] ?? 0) / $total) * 100, 1);
$killPercent = round((($dist['kill'] ?? 0) / $total) * 100, 1);
@endphp
<div class="bg-gray-900/60 backdrop-blur-md rounded-2xl border border-red-900/30 p-5 shadow-lg">
<div class="text-3xl font-extrabold text-red-500 font-mono">{{ $bigPercent }}%</div>
<div class="mt-2 text-xs text-gray-400 font-bold flex items-center justify-between">
<span>开大比例</span>
<span class="text-red-400 font-mono">{{ $dist['big'] ?? 0 }} </span>
</div>
</div>
<div class="bg-gray-900/60 backdrop-blur-md rounded-2xl border border-blue-900/30 p-5 shadow-lg">
<div class="text-3xl font-extrabold text-blue-500 font-mono">{{ $smallPercent }}%</div>
<div class="mt-2 text-xs text-gray-400 font-bold flex items-center justify-between">
<span>开小比例</span>
<span class="text-blue-400 font-mono">{{ $dist['small'] ?? 0 }} </span>
</div>
</div>
<div class="bg-gray-900/60 backdrop-blur-md rounded-2xl border border-purple-900/30 p-5 shadow-lg">
<div class="text-3xl font-extrabold text-purple-500 font-mono">{{ $triplePercent }}%</div>
<div class="mt-2 text-xs text-gray-400 font-bold flex items-center justify-between">
<span>开豹比例</span>
<span class="text-purple-400 font-mono">{{ $dist['triple'] ?? 0 }} </span>
</div>
</div>
<div class="bg-gray-900/60 backdrop-blur-md rounded-2xl border border-gray-800 p-5 shadow-lg col-span-2 md:col-span-1">
<div class="text-3xl font-extrabold text-gray-400 font-mono">{{ $killPercent }}%</div>
<div class="mt-2 text-xs text-gray-400 font-bold flex items-center justify-between">
<span>开收割比例</span>
<span class="text-gray-300 font-mono">{{ $dist['kill'] ?? 0 }} </span>
</div>
</div>
</div>
{{-- 珠盘路大趋势走势图 --}}
<div class="bg-gray-900 rounded-2xl p-6 border border-gray-800 shadow-xl overflow-hidden mb-8">
<div class="flex items-center justify-between mb-4">
<h3 class="text-sm font-bold text-gray-400 flex items-center gap-2">
<span>📊 珠盘路走势板(最近 30 局)</span>
</h3>
<span class="text-[10px] bg-gray-800 text-gray-400 px-2 py-0.5 rounded-full font-mono">从左往右为历史开奖顺序</span>
</div>
<div class="flex space-x-2 overflow-x-auto pb-3 custom-scrollbar">
@forelse($rounds->take(30)->reverse() as $r)
<div class="flex flex-col items-center justify-center shrink-0 w-14 h-20 rounded-xl bg-gray-950/80 border border-gray-800/80 p-1.5 shadow-inner">
<span class="text-[9px] text-gray-600 font-mono font-medium">#{{ $r->id }}</span>
@php
$colorClass = match ($r->result) {
'big' => 'bg-gradient-to-br from-red-500 to-red-600 text-white shadow-red-500/20 border-red-400',
'small' => 'bg-gradient-to-br from-blue-500 to-blue-600 text-white shadow-blue-500/20 border-blue-400',
'triple' => 'bg-gradient-to-br from-purple-500 to-purple-600 text-white shadow-purple-500/20 border-purple-400',
default => 'bg-gradient-to-br from-gray-600 to-gray-700 text-gray-200 border-gray-500',
};
$label = match ($r->result) {
'big' => '大',
'small' => '小',
'triple' => '豹',
default => '割',
};
@endphp
<div class="my-1.5 w-7 h-7 rounded-full border-2 flex items-center justify-center text-xs font-black shadow-md {{ $colorClass }}">
{{ $label }}
</div>
<span class="text-[9px] text-gray-400 font-bold font-mono">{{ $r->total_points }} </span>
</div>
@empty
<div class="w-full py-6 text-center text-gray-600 text-xs">暂无走势数据</div>
@endforelse
</div>
</div>
{{-- 历史记录数据表 --}}
<div class="bg-gray-900 rounded-2xl border border-gray-800 shadow-xl overflow-hidden">
<div class="px-6 py-5 border-b border-gray-800 flex justify-between items-center bg-gray-900/50">
<h3 class="font-bold text-base text-white">百家乐局次历史记录</h3>
<span class="text-xs text-gray-500">仅展示已结算局次数据</span>
</div>
<div class="overflow-x-auto">
<table class="w-full text-left border-collapse">
<thead>
<tr class="border-b border-gray-800 text-xs text-gray-400 uppercase tracking-wider bg-gray-950/40">
<th class="px-6 py-4 font-bold">局号</th>
<th class="px-6 py-4 font-bold">结算时间</th>
<th class="px-6 py-4 font-bold text-center">骰子开出</th>
<th class="px-6 py-4 font-bold text-center">总点数</th>
<th class="px-6 py-4 font-bold text-center">开奖结果</th>
<th class="px-6 py-4 font-bold text-right">全场总押注</th>
<th class="px-6 py-4 font-bold text-right">全场派奖金币</th>
</tr>
</thead>
<tbody class="divide-y divide-gray-800 text-sm">
@forelse ($rounds as $round)
<tr class="hover:bg-gray-800/20 transition-colors">
<td class="px-6 py-4 font-mono text-gray-400 font-medium">#{{ $round->id }}</td>
<td class="px-6 py-4 text-gray-400 text-xs">
{{ $round->settled_at ? $round->settled_at->format('m-d H:i') : '—' }}
</td>
<td class="px-6 py-4 text-center">
<div class="inline-flex gap-1.5 justify-center">
@for ($i = 1; $i <= 3; $i++)
@php $diceVal = $round->{'dice'.$i}; @endphp
@if ($diceVal)
<span class="w-7 h-7 inline-flex items-center justify-center bg-gray-800 border border-gray-700 text-white font-black rounded-lg shadow-inner text-xs font-mono">
{{ $diceVal }}
</span>
@else
<span class="text-gray-600"></span>
@endif
@endfor
</div>
</td>
<td class="px-6 py-4 text-center font-extrabold text-white font-mono text-base">
{{ $round->total_points ?? '—' }}
</td>
<td class="px-6 py-4 text-center">
@php
$resultStyles = [
'big' => 'bg-red-950/50 text-red-400 border-red-800/60',
'small' => 'bg-blue-950/50 text-blue-400 border-blue-800/60',
'triple' => 'bg-purple-950/50 text-purple-400 border-purple-800/60',
'kill' => 'bg-gray-900 text-gray-500 border-gray-800',
];
$labelText = match ($round->result) {
'big' => '大',
'small' => '小',
'triple' => '豹子',
'kill' => '收割',
default => $round->result ?? '—',
};
$borderStyle = $resultStyles[$round->result] ?? 'bg-gray-900 text-gray-500 border-gray-800';
@endphp
@if ($round->result)
<span class="inline-flex items-center px-3 py-1 rounded-full text-xs font-black border {{ $borderStyle }}">
{{ $labelText }}
</span>
@else
<span class="text-gray-600">未结算</span>
@endif
</td>
<td class="px-6 py-4 text-right text-xs font-mono text-gray-400">
<div class="flex flex-col items-end">
<span class="font-bold text-gray-300">
{{ number_format(($round->total_bet_big ?? 0) + ($round->total_bet_small ?? 0) + ($round->total_bet_triple ?? 0)) }}
</span>
<span class="text-[9px] text-gray-500 mt-0.5">
:<span class="text-red-400">{{ number_format($round->total_bet_big ?? 0) }}</span> |
:<span class="text-blue-400">{{ number_format($round->total_bet_small ?? 0) }}</span> |
:<span class="text-purple-400">{{ number_format($round->total_bet_triple ?? 0) }}</span>
</span>
</div>
</td>
<td class="px-6 py-4 text-right font-mono font-extrabold text-amber-500 text-base">
{{ number_format($round->total_payout ?? 0) }}
</td>
</tr>
@empty
<tr>
<td colspan="7" class="px-6 py-12 text-center text-gray-500">
<p class="font-bold">暂无开奖记录</p>
</td>
</tr>
@endforelse
</tbody>
</table>
</div>
{{-- 分页器美化 --}}
@if ($rounds->hasPages())
<div class="px-6 py-5 border-t border-gray-800 bg-gray-950/20">
{{-- Laravel 默认分页器兼容 --}}
<div class="baccarat-pagination-dark">
{{ $rounds->links() }}
</div>
</div>
@endif
</div>
</div>
</div>
@endsection
+3 -1
View File
@@ -9,7 +9,9 @@ Broadcast::channel('App.Models.User.{id}', function ($user, $id) {
// 聊天室房间 Presence Channel 鉴权与成员信息抓取
Broadcast::channel('room.{roomId}', function ($user, $roomId) {
$room = \App\Models\Room::find($roomId);
$room = \Illuminate\Support\Facades\Cache::remember("room:meta:{$roomId}", 300, function () use ($roomId) {
return \App\Models\Room::find($roomId);
});
if (! $room || ! $room->canUserEnter($user)) {
return false;
}
+2
View File
@@ -47,6 +47,7 @@ Route::post('/login', [AuthController::class, 'login'])
Route::middleware('guest')->group(function () {
Route::get('/forgot-password', [PasswordResetController::class, 'create'])->name('password.request');
Route::post('/forgot-password', [PasswordResetController::class, 'storeLink'])->name('password.email');
Route::post('/forgot-password/check-account', [PasswordResetController::class, 'checkAccount'])->name('password.check_account');
Route::get('/reset-password/{token}', [PasswordResetController::class, 'edit'])->name('password.reset');
Route::post('/reset-password', [PasswordResetController::class, 'update'])->name('password.update');
});
@@ -170,6 +171,7 @@ Route::middleware(['chat.auth'])->group(function () {
Route::get('/current', [\App\Http\Controllers\BaccaratController::class, 'currentRound'])->name('current');
Route::post('/bet', [\App\Http\Controllers\BaccaratController::class, 'bet'])->name('bet');
Route::get('/history', [\App\Http\Controllers\BaccaratController::class, 'history'])->name('history');
Route::get('/history-page', [\App\Http\Controllers\BaccaratController::class, 'historyPage'])->name('history-page');
});
// ── 百家乐买单活动(前台)───────────────────────────────────────
+5 -6
View File
@@ -432,12 +432,11 @@ class ChatControllerTest extends TestCase
$response = $this->actingAs($user)->get(route('chat.room', $room->id));
$response->assertOk();
$response->assertSee('⚠️ 警告', false);
$response->assertSee('🔇 禁言', false);
$response->assertSee('封号', false);
$response->assertDontSee('🚫 踢出', false);
$response->assertDontSee('🌐 封IP', false);
$response->assertDontSee('🧊 冻结', false);
$response->assertSee('警告', false);
$response->assertSee('禁言', false);
$response->assertSee('封号', false);
$response->assertDontSee('踢出', false);
$response->assertDontSee('封IP', false);
}
/**
+115
View File
@@ -0,0 +1,115 @@
<?php
/**
* 文件功能:微信机器人 Kafka 消息消费及密码重置测试
*
* 覆盖在微信上对助手机器人发送重置密码的拦截逻辑,
* 验证对未绑定账号及已绑定账号的回复行为和密码更新结果。
*
* @author ChatRoom Laravel
*
* @version 1.0.0
*/
namespace Tests\Feature;
use App\Models\User;
use App\Services\WechatBot\KafkaConsumerService;
use App\Services\WechatBot\WechatBotApiService;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Hash;
use Mockery\MockInterface;
use Tests\TestCase;
/**
* 验证 ConsumeWechatMessages 控制台消费命令的解析与动作路由行为。
*/
class ConsumeWechatMessagesTest extends TestCase
{
use RefreshDatabase;
/**
* 当微信用户未绑定任何聊天室账户时发送“重置密码”,回复未绑定指引微信。
*/
public function test_wechat_password_reset_fails_when_not_bound(): void
{
$apiServiceMock = $this->mock(WechatBotApiService::class, function (MockInterface $mock) {
$mock->shouldReceive('sendTextMessage')
->once()
->with('wxid_test_user_123', \Mockery::on(function ($arg) {
return str_contains($arg, '密码重置失败') && str_contains($arg, '尚未绑定');
}))
->andReturn([]);
});
$msg = [
'msg_type' => 1,
'content' => '重置密码',
'from_user' => 'wxid_test_user_123',
'is_chatroom' => false,
];
$command = new \App\Console\Commands\ConsumeWechatMessages(
$this->createMock(KafkaConsumerService::class)
);
$command->setLaravel($this->app);
// 绑定 NullOutput 避免 $this->info 报 null 指针错误
$output = new \Symfony\Component\Console\Output\NullOutput;
$reflectorOutput = new \ReflectionProperty($command, 'output');
$reflectorOutput->setValue($command, new \Illuminate\Console\OutputStyle(
new \Symfony\Component\Console\Input\ArrayInput([]),
$output
));
$reflector = new \ReflectionMethod($command, 'processMessage');
$reflector->invoke($command, $msg, $apiServiceMock);
}
/**
* 当已绑定微信的用户在微信私聊中发送“重置密码”时,自动随机生成 8 位密码并完成更新,通过微信私信回发。
*/
public function test_wechat_password_reset_succeeds_when_bound(): void
{
$user = User::factory()->create([
'username' => 'test_bind_user',
'wxid' => 'wxid_test_user_123',
'password' => Hash::make('old_password_123'),
]);
$apiServiceMock = $this->mock(WechatBotApiService::class, function (MockInterface $mock) use ($user) {
$mock->shouldReceive('sendTextMessage')
->once()
->with('wxid_test_user_123', \Mockery::on(function ($arg) use ($user) {
return str_contains($arg, '密码重置成功') && str_contains($arg, $user->username);
}))
->andReturn([]);
});
$msg = [
'msg_type' => 1,
'content' => ' 想要重置密码呢 ',
'from_user' => 'wxid_test_user_123',
'is_chatroom' => false,
];
$command = new \App\Console\Commands\ConsumeWechatMessages(
$this->createMock(KafkaConsumerService::class)
);
$command->setLaravel($this->app);
// 绑定 NullOutput
$output = new \Symfony\Component\Console\Output\NullOutput;
$reflectorOutput = new \ReflectionProperty($command, 'output');
$reflectorOutput->setValue($command, new \Illuminate\Console\OutputStyle(
new \Symfony\Component\Console\Input\ArrayInput([]),
$output
));
$reflector = new \ReflectionMethod($command, 'processMessage');
$reflector->invoke($command, $msg, $apiServiceMock);
$user->refresh();
$this->assertFalse(Hash::check('old_password_123', $user->password));
}
}
@@ -0,0 +1,191 @@
<?php
/**
* 文件功能:找回密码账号检测与防扫描轰炸限流 Feature 测试
*
* 覆盖密码重置流程中的多维限流阀门,确保 IP 防扫与用户邮箱防轰炸策略稳健起效。
*
* @author ChatRoom Laravel
*
* @version 1.0.0
*/
namespace Tests\Feature;
use App\Models\Sysparam;
use App\Models\User;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\RateLimiter;
use Tests\TestCase;
class PasswordResetRateLimitTest extends TestCase
{
use RefreshDatabase;
protected function setUp(): void
{
parent::setUp();
RateLimiter::clear('pw-check:ip:127.0.0.1');
RateLimiter::clear('pw-email:ip:127.0.0.1');
}
/**
* 测试账号检测:不存在账号返回 404/not_found
*/
public function test_check_account_returns_not_found_when_user_does_not_exist(): void
{
$response = $this->postJson(route('password.check_account'), [
'username' => 'non_existing_user_abc',
]);
$response->assertStatus(200);
$response->assertJson([
'status' => 'not_found',
'message' => '抱歉,没有找到该昵称对应的账号。请确认后再试。',
]);
}
/**
* 测试账号检测分流状态与脱敏邮箱输出
*/
public function test_check_account_shows_correct_channels(): void
{
// 1. 双绑定用户
$bothBoundUser = User::factory()->create([
'username' => 'both_user',
'email' => 'both.test@example.com',
'wxid' => 'wxid_both',
]);
$response1 = $this->postJson(route('password.check_account'), [
'username' => 'both_user',
]);
$response1->assertJson([
'status' => 'success',
'has_email' => true,
'has_wechat' => true,
'masked_email' => 'b*******t@example.com',
]);
// 2. 仅绑定微信用户
$wechatUser = User::factory()->create([
'username' => 'wx_user',
'email' => null,
'wxid' => 'wxid_single',
]);
$response2 = $this->postJson(route('password.check_account'), [
'username' => 'wx_user',
]);
$response2->assertJson([
'status' => 'success',
'has_email' => false,
'has_wechat' => true,
]);
// 3. 均未绑定用户
$noneUser = User::factory()->create([
'username' => 'none_user',
'email' => null,
'wxid' => null,
]);
$response3 = $this->postJson(route('password.check_account'), [
'username' => 'none_user',
]);
$response3->assertJson([
'status' => 'success',
'has_email' => false,
'has_wechat' => false,
]);
}
/**
* 测试 IP 防扫描限流限制 (每个 IP 1分钟限制 5 次检测)
*/
public function test_check_account_rate_limiting(): void
{
$ip = '127.0.0.1';
// 连续请求 5 次都应该正常响应
for ($i = 0; $i < 5; $i++) {
$response = $this->postJson(route('password.check_account'), [
'username' => 'non_existing_user',
]);
$response->assertStatus(200);
}
// 第 6 次应该被 RateLimiter 节流拦截返回 429
$response = $this->postJson(route('password.check_account'), [
'username' => 'non_existing_user',
]);
$response->assertStatus(429);
$response->assertJson([
'status' => 'error',
]);
$this->assertStringContainsString('请求过于频繁', $response->json('message'));
}
/**
* 测试当用户输入的邮箱地址与绑定的真实邮箱不匹配时,二次核验拦截报错
*/
public function test_store_link_fails_when_masked_email_mismatch(): void
{
Sysparam::updateOrCreate(['alias' => 'smtp_enabled'], ['body' => '1']);
User::factory()->create([
'username' => 'mismatch_user',
'email' => 'real.mail@example.com',
]);
$response = $this->postJson(route('password.email'), [
'username' => 'mismatch_user',
'email' => 'wrong.mail@example.com', // 错误的手输邮箱
]);
$response->assertStatus(422);
$response->assertJson([
'status' => 'error',
'message' => '输入的完整邮箱地址与该账号绑定的邮箱不一致,二次确认失败。',
]);
}
/**
* 测试发送链接的双层安全控频防御 (防止发信轰炸他人)
*/
public function test_store_link_prevents_email_bombing(): void
{
Sysparam::updateOrCreate(['alias' => 'smtp_enabled'], ['body' => '1']);
$user = User::factory()->create([
'username' => 'bomb_user',
'email' => 'bomb.target@example.com',
]);
$email = $user->email;
$targetKey = 'pw-email:target:'.md5($email);
RateLimiter::clear($targetKey);
// 模拟第一次发送
$response1 = $this->postJson(route('password.email'), [
'username' => 'bomb_user',
'email' => 'bomb.target@example.com',
]);
// 第二次在 3 分钟内再次连续发送,触发 429 节流
$response2 = $this->postJson(route('password.email'), [
'username' => 'bomb_user',
'email' => 'bomb.target@example.com',
]);
$response2->assertStatus(429);
$response2->assertJson([
'status' => 'error',
]);
$this->assertStringContainsString('重置链接过于频繁', $response2->json('message'));
}
}
+92
View File
@@ -0,0 +1,92 @@
<?php
/**
* 文件功能:大厅安全绑定强引导(邮箱/微信二选一)提示弹窗 Feature 测试
*
* @author ChatRoom Laravel
*
* @version 1.0.0
*/
namespace Tests\Feature;
use App\Models\Room;
use App\Models\User;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Tests\TestCase;
class SecurityBindAlertTest extends TestCase
{
use RefreshDatabase;
/**
* 创建测试用房间,防范 Room 未配置 Factory
*/
protected function createRoom(): Room
{
return Room::query()->create([
'room_name' => '大厅',
'room_owner' => '站长',
'room_des' => '欢迎光临',
'permit_level' => 0,
]);
}
/**
* 测试当用户邮箱和微信均未绑定时,进入聊天室大厅页面会渲染安全绑定遮罩弹窗提示
*/
public function test_shows_bind_alert_modal_when_user_has_no_email_and_no_wechat(): void
{
$user = User::factory()->create([
'email' => null,
'wxid' => null,
]);
$room = $this->createRoom();
$response = $this->actingAs($user)->get(route('chat.room', $room->id));
$response->assertStatus(200);
$response->assertSee('security-bind-modal');
$response->assertSee('账号安全绑定提醒');
$response->assertSee('立即前往设置(查看微信小小二维码)');
}
/**
* 测试当用户已经设置了邮箱时,进入聊天室大厅页面不会弹出安全绑定提醒
*/
public function test_does_not_show_bind_alert_when_user_has_email(): void
{
$user = User::factory()->create([
'email' => 'has.email@example.com',
'wxid' => null,
]);
$room = $this->createRoom();
$response = $this->actingAs($user)->get(route('chat.room', $room->id));
$response->assertStatus(200);
$response->assertDontSee('security-bind-modal');
$response->assertDontSee('账号安全绑定提醒');
}
/**
* 测试当用户已经绑定了微信时,进入聊天室大厅页面不会弹出安全提醒
*/
public function test_does_not_show_bind_alert_when_user_has_wechat(): void
{
$user = User::factory()->create([
'email' => null,
'wxid' => 'wxid_test_123',
]);
$room = $this->createRoom();
$response = $this->actingAs($user)->get(route('chat.room', $room->id));
$response->assertStatus(200);
$response->assertDontSee('security-bind-modal');
$response->assertDontSee('账号安全绑定提醒');
}
}