feat: add registration abuse prevention
- Silently block verification code for IPs with 2+ registered accounts - Silently block Gmail alias emails (containing + or . in local part) - Add CountByRegistrationIP to UserRepository interface - Pass client IP to SendVerifyCodeAsync for abuse detection Both checks return fake success to prevent enumeration attacks.
This commit is contained in:
kone
@@ -1113,3 +1113,26 @@ func (r *userRepository) DisableTotp(ctx context.Context, userID int64) error {
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// CountByRegistrationIP 统计指定 IP 注册的用户数量
|
||||
func (r *userRepository) CountByRegistrationIP(ctx context.Context, ip string) (int, error) {
|
||||
if strings.TrimSpace(ip) == "" {
|
||||
return 0, nil
|
||||
}
|
||||
rows, err := r.sql.QueryContext(ctx,
|
||||
`SELECT COUNT(*) FROM users WHERE register_ip_address = $1 AND deleted_at IS NULL`,
|
||||
ip,
|
||||
)
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
defer rows.Close()
|
||||
|
||||
var count int
|
||||
if rows.Next() {
|
||||
if err := rows.Scan(&count); err != nil {
|
||||
return 0, err
|
||||
}
|
||||
}
|
||||
return count, nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user