H8-Network/TinySkin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

修复绕过注册邮箱限制

Browse Source
This commit is contained in:
xmdhs 2023-11-25 18:01:24 +08:00
parent afdfa4c413
commit 8071de4d72
No known key found for this signature in database
GPG Key ID: E809D6D43DEFCC95
4 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
frontend/src/Route.tsx
View File

@ -27,7 +27,7 @@ function Root() {
<Route path="/login" element={<Login />} /> <Route path="/login" element={<Login />} />
<Route path="/register" element={<Register />} /> <Route path="/register" element={<Register />} />
<Route path="/register_email" element={<SendEmail title="注册" sendService={sendRegEmail} />} /> <Route path="/register_email" element={<SendEmail title="注册" sendService={sendRegEmail} />} />
<Route path="/forgot_email" element={<SendEmail title="找回密码" anyEmail sendService={sendForgotEmail} />} /> <Route path="/forgot_email" element={<SendEmail title="重设密码" anyEmail sendService={sendForgotEmail} />} />
<Route path="/forgot" element={<Forgot />} /> <Route path="/forgot" element={<Forgot />} />
<Route element={<NeedLogin><Outlet /></NeedLogin>}> <Route element={<NeedLogin><Outlet /></NeedLogin>}>

2
frontend/src/views/Forgot.tsx
View File

@ -18,7 +18,7 @@ import { useNavigate } from 'react-router-dom';
export default function Forgot() { export default function Forgot() {
const [err, setErr] = useState("") const [err, setErr] = useState("")
useTitle("找回密码") useTitle("重设密码")
const [passerr, setPasserr] = useState("") const [passerr, setPasserr] = useState("")
const [pass, setPass] = useState({ const [pass, setPass] = useState({
pass1: "", pass1: "",

12
service/email/email.go
View File

@ -113,7 +113,7 @@ func (e EmailService) SendVerifyUrl(ctx context.Context, email string, interval
return fmt.Errorf("SendVerifyUrl: %w", err) return fmt.Errorf("SendVerifyUrl: %w", err)
} }
code, err := newJwtToken(e.pri, email) code, err := newJwtToken(e.pri, email, issuer+path)
if err != nil { if err != nil {
return fmt.Errorf("SendVerifyUrl: %w", err) return fmt.Errorf("SendVerifyUrl: %w", err)
} }
@ -159,7 +159,7 @@ var (
ErrTokenInvalid = errors.New("token 无效") ErrTokenInvalid = errors.New("token 无效")
) )
func (e EmailService) VerifyJwt(email, jwtStr string) error { func (e EmailService) VerifyJwt(email, jwtStr, path string) error {
token, err := jwt.ParseWithClaims(jwtStr, &jwt.RegisteredClaims{}, func(t *jwt.Token) (interface{}, error) { token, err := jwt.ParseWithClaims(jwtStr, &jwt.RegisteredClaims{}, func(t *jwt.Token) (interface{}, error) {
return &e.pri.PublicKey, nil return &e.pri.PublicKey, nil
}) })
@ -168,20 +168,20 @@ func (e EmailService) VerifyJwt(email, jwtStr string) error {
} }
sub, _ := token.Claims.GetSubject() sub, _ := token.Claims.GetSubject()
iss, _ := token.Claims.GetIssuer() iss, _ := token.Claims.GetIssuer()
if !token.Valid || sub != email || iss != issuer { if !token.Valid || sub != email || iss+path != issuer {
return fmt.Errorf("VerifyJwt: %w", ErrTokenInvalid) return fmt.Errorf("VerifyJwt: %w", ErrTokenInvalid)
} }
return nil return nil
} }
const issuer = "authlib-skin email verification" const issuer = "email"
func newJwtToken(jwtKey *rsa.PrivateKey, email string) (string, error) { func newJwtToken(jwtKey *rsa.PrivateKey, email, iss string) (string, error) {
token := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.RegisteredClaims{ token := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.RegisteredClaims{
ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * 24 * time.Hour)), ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * 24 * time.Hour)),
IssuedAt: jwt.NewNumericDate(time.Now()), IssuedAt: jwt.NewNumericDate(time.Now()),
Subject: email, Subject: email,
Issuer: issuer, Issuer: iss,
}) })
jwts, err := token.SignedString(jwtKey) jwts, err := token.SignedString(jwtKey)
if err != nil { if err != nil {

6
service/user.go
View File

@ -60,7 +60,7 @@ func (w *UserService) Reg(ctx context.Context, u model.UserReg, ipPrefix, ip str
} }
if w.config.Email.Enable { if w.config.Email.Enable {
err := w.emailService.VerifyJwt(u.Email, u.EmailJwt) err := w.emailService.VerifyJwt(u.Email, u.EmailJwt, "/register")
if err != nil { if err != nil {
return model.LoginRep{}, fmt.Errorf("Reg: %w", err) return model.LoginRep{}, fmt.Errorf("Reg: %w", err)
} }
@ -263,7 +263,7 @@ func (w *UserService) SendChangePasswordEmail(ctx context.Context, email, Captch
if c == 0 { if c == 0 {
return fmt.Errorf("SendChangePasswordEmail: %w", ErrUsername) return fmt.Errorf("SendChangePasswordEmail: %w", ErrUsername)
} }
err = w.emailService.SendVerifyUrl(ctx, email, 60, host, "找回密码邮箱验证", "点击下方链接更改你的密码1 天内有效", "/forgot") err = w.emailService.SendVerifyUrl(ctx, email, 60, host, "重设密码", "点击下方链接更改你的密码1 天内有效", "/forgot")
if err != nil { if err != nil {
return fmt.Errorf("SendChangePasswordEmail: %w", err) return fmt.Errorf("SendChangePasswordEmail: %w", err)
} }
@ -271,7 +271,7 @@ func (w *UserService) SendChangePasswordEmail(ctx context.Context, email, Captch
} }
func (w *UserService) ForgotPassword(ctx context.Context, email, passWord, emailJwt string) error { func (w *UserService) ForgotPassword(ctx context.Context, email, passWord, emailJwt string) error {
err := w.emailService.VerifyJwt(email, emailJwt) err := w.emailService.VerifyJwt(email, emailJwt, "/forgot")
if err != nil { if err != nil {
return fmt.Errorf("ForgotPassword: %w", err) return fmt.Errorf("ForgotPassword: %w", err)
} }