security(auth): 移除公開 admin/register 端點,改由 app:create-admin 建立管理員
P0 漏洞:原 POST /api/admin/register 無任何防護,任何人可註冊管理員帳號。 - 移除路由、AuthController::registerAdmin、對應 Swagger 文件 - 新增 app:create-admin artisan command(密碼門檻 min:8) - 補 AdminAccountCreationTest 防止端點被重新打開 - 同步 admin-auth 規格,並收錄 2026-06-11 稽核報告與路線圖文檔 Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -846,59 +846,6 @@ class AuthController extends Controller
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
* 管理員註冊
|
||||
*/
|
||||
public function registerAdmin(Request $request)
|
||||
{
|
||||
// 驗證請求數據
|
||||
$validator = Validator::make($request->all(), [
|
||||
'name' => 'required|string|max:255',
|
||||
'email' => 'required|string|email|max:255|unique:users',
|
||||
'password' => 'required|string|min:6|confirmed',
|
||||
'phone' => 'nullable|string|max:20',
|
||||
'position' => 'nullable|string|max:100',
|
||||
'department' => 'nullable|string|max:100',
|
||||
]);
|
||||
|
||||
if ($validator->fails()) {
|
||||
return response()->json([
|
||||
'status' => false,
|
||||
'message' => '驗證失敗',
|
||||
'errors' => $validator->errors()
|
||||
], 422);
|
||||
}
|
||||
|
||||
// 創建用戶
|
||||
$user = User::create([
|
||||
'name' => $request->name,
|
||||
'email' => $request->email,
|
||||
'password' => Hash::make($request->password),
|
||||
'phone' => $request->phone,
|
||||
'role' => 'admin', // 強制為管理員角色
|
||||
]);
|
||||
|
||||
// 創建管理員資料
|
||||
AdminProfile::create([
|
||||
'user_id' => $user->id,
|
||||
'position' => $request->position,
|
||||
'department' => $request->department,
|
||||
]);
|
||||
|
||||
// 創建 API token
|
||||
$token = $user->createToken('auth_token')->plainTextToken;
|
||||
|
||||
return response()->json([
|
||||
'status' => true,
|
||||
'message' => '管理員註冊成功',
|
||||
'data' => [
|
||||
'user' => $user,
|
||||
'token' => $token,
|
||||
'token_type' => 'Bearer',
|
||||
]
|
||||
], 201);
|
||||
}
|
||||
|
||||
/**
|
||||
* 管理員登入
|
||||
*/
|
||||
|
||||
Reference in New Issue
Block a user