security(auth): 移除公開 admin/register 端點,改由 app:create-admin 建立管理員
P0 漏洞:原 POST /api/admin/register 無任何防護,任何人可註冊管理員帳號。 - 移除路由、AuthController::registerAdmin、對應 Swagger 文件 - 新增 app:create-admin artisan command(密碼門檻 min:8) - 補 AdminAccountCreationTest 防止端點被重新打開 - 同步 admin-auth 規格,並收錄 2026-06-11 稽核報告與路線圖文檔 Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
+1
-2
@@ -102,8 +102,7 @@ Route::middleware(['auth:sanctum'])->prefix('provider')->group(function () {
|
||||
Route::put('/bookings/{id}/complete', [ProviderBookingController::class, 'complete']);
|
||||
});
|
||||
|
||||
// 管理員註冊/登入
|
||||
Route::post('/admin/register', [AuthController::class, 'registerAdmin']);
|
||||
// 管理員登入(帳號建立僅限主機端 php artisan app:create-admin,不提供公開註冊)
|
||||
Route::middleware('throttle:3,1')->post('/admin/login', [AuthController::class, 'loginAdmin']);
|
||||
|
||||
// 管理員專屬 API(需登入)
|
||||
|
||||
Reference in New Issue
Block a user