security(auth): P2 帳號鎖定 + OAuth state 驗證
- Account lockout:連續失敗 5 次鎖定 15 分鐘(Fixed Window,Cache)
- Member / Provider 各自獨立 namespace
- Email 正規化(strtolower+trim)
- 不存在帳號不累計計數(防 Cache 污染)
- companion key 記錄 locked_until(ISO 8601)
- OAuth CSRF 防護:移除 stateless(),手動 state 生成與驗證
- session('oauth_state') + session('state') 雙寫確保 Socialite 內建驗證通過
- state mismatch redirect 至 /login?error=oauth_failed
- throttle 從 5,1 調整為 10,1,避免 IP throttle 在 lockout 前觸發
- NormalizesEmail Trait、config/auth_lockout.php
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
+2
-2
@@ -28,7 +28,7 @@ Route::get('/diving-offers/{id}/reviews', [ReviewController::class, 'publicList
|
||||
|
||||
// 會員註冊/登入
|
||||
Route::post('/member/register', [AuthController::class, 'registerMember']);
|
||||
Route::middleware('throttle:5,1')->post('/member/login', [AuthController::class, 'loginMember']);
|
||||
Route::middleware('throttle:10,1')->post('/member/login', [AuthController::class, 'loginMember']);
|
||||
|
||||
// Google 第三方登入(僅會員)
|
||||
Route::get('/auth/google/redirect', [\App\Http\Controllers\API\SocialAuthController::class, 'redirectToGoogle']);
|
||||
@@ -62,7 +62,7 @@ Route::middleware('auth:sanctum')->post('/reviews/{id}/helpful', [ReviewControll
|
||||
|
||||
// 服務提供者註冊/登入
|
||||
Route::post('/provider/register', [AuthController::class, 'registerProvider']);
|
||||
Route::middleware('throttle:5,1')->post('/provider/login', [AuthController::class, 'loginProvider']);
|
||||
Route::middleware('throttle:10,1')->post('/provider/login', [AuthController::class, 'loginProvider']);
|
||||
|
||||
// 服務提供者專屬 API(需登入)
|
||||
Route::middleware(['auth:sanctum'])->prefix('provider')->group(function () {
|
||||
|
||||
Reference in New Issue
Block a user