Files
a620906209 aeb8c975e2 security(auth): 移除公開 admin/register 端點,改由 app:create-admin 建立管理員
P0 漏洞:原 POST /api/admin/register 無任何防護,任何人可註冊管理員帳號。
- 移除路由、AuthController::registerAdmin、對應 Swagger 文件
- 新增 app:create-admin artisan command(密碼門檻 min:8)
- 補 AdminAccountCreationTest 防止端點被重新打開
- 同步 admin-auth 規格,並收錄 2026-06-11 稽核報告與路線圖文檔

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-11 17:36:33 +08:00

63 lines
2.1 KiB
PHP
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<?php
namespace App\Console\Commands;
use App\Models\AdminProfile;
use App\Models\User;
use Illuminate\Console\Command;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Validator;
class CreateAdminUser extends Command
{
protected $signature = 'app:create-admin
{name : 管理員姓名}
{email : 登入用電子郵件}
{--password= : 密碼(至少 8 碼,未提供時互動式輸入)}
{--position= : 職位}
{--department= : 部門}';
protected $description = '建立管理員帳號(公開 /api/admin/register 端點已移除,管理員一律由主機端建立)';
public function handle(): int
{
$password = $this->option('password') ?: $this->secret('請輸入密碼(至少 8 碼)');
$validator = Validator::make([
'name' => $this->argument('name'),
'email' => $this->argument('email'),
'password' => $password,
], [
'name' => 'required|string|max:255',
'email' => 'required|string|email|max:255|unique:users',
// 管理權限影響全平台,密碼門檻高於一般使用者的 min:6
'password' => 'required|string|min:8',
]);
if ($validator->fails()) {
foreach ($validator->errors()->all() as $error) {
$this->error($error);
}
return self::FAILURE;
}
$user = User::create([
'name' => $this->argument('name'),
'email' => $this->argument('email'),
'password' => Hash::make($password),
'role' => 'admin',
]);
AdminProfile::create([
'user_id' => $user->id,
'position' => $this->option('position'),
'department' => $this->option('department'),
]);
$this->info("管理員帳號已建立:{$user->email}id={$user->id}");
return self::SUCCESS;
}
}