237899745/zsglpt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden auth, CSRF, and email log UX

Browse Source
This commit is contained in:
yuyx
2025-12-26 19:05:20 +08:00
parent 3214cbbd91
commit f90b0a4f11
47 changed files with 583 additions and 198 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
routes/api_user.py
View File

@@ -5,11 +5,11 @@ from __future__ import annotations
import database
import email_service
from app_logger import get_logger
from app_security import require_ip_not_locked, validate_email, validate_password
from app_security import get_rate_limit_ip, require_ip_not_locked, validate_email, validate_password
from flask import Blueprint, jsonify, request
from flask_login import current_user, login_required
from routes.pages import render_app_spa_or_legacy
from services.state import safe_iter_task_status_items
from services.state import check_ip_request_rate, safe_iter_task_status_items
logger = get_logger("app")
@@ -152,12 +152,21 @@ def get_user_email():
@require_ip_not_locked
def bind_user_email():
"""发送邮箱绑定验证邮件"""
data = request.get_json()
data = request.get_json() or {}
email = data.get("email", "").strip().lower()
if not email or not validate_email(email):
if not email:
return jsonify({"error": "请输入有效的邮箱地址"}), 400
is_valid, error_msg = validate_email(email)
if not is_valid:
return jsonify({"error": error_msg}), 400
client_ip = get_rate_limit_ip()
allowed, error_msg = check_ip_request_rate(client_ip, "email")
if not allowed:
return jsonify({"error": error_msg}), 429
settings = email_service.get_email_settings()
if not settings.get("enabled", False):
return jsonify({"error": "邮件功能未启用,请联系管理员"}), 400