From f6e88d85e73dfd5752872f9ec129bb9f0dc027ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=96=BB=E5=8B=87=E7=A5=A5?= <237899745@qq.com>
Date: Thu, 13 Nov 2025 23:20:25 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E9=98=B2=E7=88=86?=
 =?UTF-8?q?=E7=A0=B4=E4=BF=9D=E6=8A=A4=E4=B8=8D=E7=94=9F=E6=95=88=E7=9A=84?=
 =?UTF-8?q?=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

问题原因:
- 登录接口缺少recordFailure调用
- 分享密码接口缺少recordFailure和recordSuccess调用

修复内容:
- 在用户不存在时记录失败尝试
- 在密码错误时记录失败尝试
- 在分享密码错误时记录失败尝试
- 在分享密码验证成功时清除失败记录

测试方法:
- 连续5次错误登录后应被封锁30分钟
- 连续10次错误分享密码后应被封锁20分钟
---
 backend/server.js | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/backend/server.js b/backend/server.js
index e44d9ff..b3c5b72 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -574,6 +574,13 @@ app.post('/api/login',
       const user = UserDB.findByUsername(username);
 
       if (!user) {
+        // 记录失败尝试
+        if (req.rateLimitKeys) {
+          loginLimiter.recordFailure(req.rateLimitKeys.ipKey);
+          if (req.rateLimitKeys.usernameKey) {
+            loginLimiter.recordFailure(req.rateLimitKeys.usernameKey);
+          }
+        }
         return res.status(401).json({
           success: false,
           message: '用户名或密码错误'
@@ -588,6 +595,13 @@ app.post('/api/login',
       }
 
       if (!UserDB.verifyPassword(password, user.password)) {
+        // 记录失败尝试
+        if (req.rateLimitKeys) {
+          loginLimiter.recordFailure(req.rateLimitKeys.ipKey);
+          if (req.rateLimitKeys.usernameKey) {
+            loginLimiter.recordFailure(req.rateLimitKeys.usernameKey);
+          }
+        }
         return res.status(401).json({
           success: false,
           message: '用户名或密码错误'
@@ -1587,6 +1601,10 @@ app.post('/api/share/:code/verify', shareRateLimitMiddleware, async (req, res) =
       }
 
       if (!ShareDB.verifyPassword(password, share.share_password)) {
+        // 记录密码错误
+        if (req.shareRateLimitKey) {
+          shareLimiter.recordFailure(req.shareRateLimitKey);
+        }
         return res.status(401).json({
           success: false,
           message: '密码错误'
@@ -1594,6 +1612,11 @@ app.post('/api/share/:code/verify', shareRateLimitMiddleware, async (req, res) =
       }
     }
 
+    // 清除失败记录（密码验证成功）
+    if (req.shareRateLimitKey) {
+      shareLimiter.recordSuccess(req.shareRateLimitKey);
+    }
+
     // 增加查看次数
     ShareDB.incrementViewCount(code);