security(auth): P2 帳號鎖定 + OAuth state 驗證 #23
Reference in New Issue
Block a user
Delete Branch "security/auth-p2-lockout-oauth-state"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com
- Account lockout:連續失敗 5 次鎖定 15 分鐘(Fixed Window,Cache) - Member / Provider 各自獨立 namespace - Email 正規化(strtolower+trim) - 不存在帳號不累計計數(防 Cache 污染) - companion key 記錄 locked_until(ISO 8601) - OAuth CSRF 防護:移除 stateless(),手動 state 生成與驗證 - session('oauth_state') + session('state') 雙寫確保 Socialite 內建驗證通過 - state mismatch redirect 至 /login?error=oauth_failed - throttle 從 5,1 調整為 10,1,避免 IP throttle 在 lockout 前觸發 - NormalizesEmail Trait、config/auth_lockout.php Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>