chore: prepare v0.1.145 release

fix: use Gitea API for version check instead of GitHub
feat: add registration abuse prevention
2026-06-06 04:30:05 +08:00 · 2026-06-06 04:29:48 +08:00 · 2026-06-06 04:07:07 +08:00
7 changed files with 80 additions and 8 deletions
@@ -1 +1 @@
-0.1.140
+0.1.145
@@ -200,13 +200,15 @@ func (h *AuthHandler) SendVerifyCode(c *gin.Context) {
 		return
 	}
 	clientIP := ip.GetClientIP(c)
 	// Turnstile 验证
-	if err := h.authService.VerifyTurnstile(c.Request.Context(), req.TurnstileToken, ip.GetClientIP(c)); err != nil {
+	if err := h.authService.VerifyTurnstile(c.Request.Context(), req.TurnstileToken, clientIP); err != nil {
 		response.ErrorFrom(c, err)
 		return
 	}
-	result, err := h.authService.SendVerifyCodeAsync(c.Request.Context(), req.Email)
+	result, err := h.authService.SendVerifyCodeAsync(c.Request.Context(), req.Email, clientIP)
 	if err != nil {
 		response.ErrorFrom(c, err)
 		return
@@ -76,13 +76,14 @@ func (c *githubReleaseClientError) FetchChecksumFile(ctx context.Context, url st
 }
 func (c *githubReleaseClient) FetchLatestRelease(ctx context.Context, repo string) (*service.GitHubRelease, error) {
-	url := fmt.Sprintf("https://api.github.com/repos/%s/releases/latest", repo)
+	// 使用 Gitea API（兼容 GitHub Release API 格式）
 	url := fmt.Sprintf("http://git.jianshixingqiu.com/api/v1/repos/%s/releases/latest", repo)
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
 	if err != nil {
 		return nil, err
 	}
-	req.Header.Set("Accept", "application/vnd.github.v3+json")
+	req.Header.Set("Accept", "application/json")
 	req.Header.Set("User-Agent", "Sub2API-Updater")
 	resp, err := c.httpClient.Do(req)
@@ -92,7 +93,7 @@ func (c *githubReleaseClient) FetchLatestRelease(ctx context.Context, repo strin
 	defer func() { _ = resp.Body.Close() }()
 	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("GitHub API returned %d", resp.StatusCode)
+		return nil, fmt.Errorf("Gitea API returned %d", resp.StatusCode)
 	}
 	var release service.GitHubRelease
@@ -1113,3 +1113,26 @@ func (r *userRepository) DisableTotp(ctx context.Context, userID int64) error {
 	}
 	return nil
 }
 // CountByRegistrationIP 统计指定 IP 注册的用户数量
 func (r *userRepository) CountByRegistrationIP(ctx context.Context, ip string) (int, error) {
 	if strings.TrimSpace(ip) == "" {
 		return 0, nil
 	}
 	rows, err := r.sql.QueryContext(ctx,
 		`SELECT COUNT(*) FROM users WHERE register_ip_address = $1 AND deleted_at IS NULL`,
 		ip,
 	)
 	if err != nil {
 		return 0, err
 	}
 	defer rows.Close()
 	var count int
 	if rows.Next() {
 		if err := rows.Scan(&count); err != nil {
 			return 0, err
 		}
 	}
 	return count, nil
 }
@@ -311,8 +311,9 @@ func (s *AuthService) SendVerifyCode(ctx context.Context, email string) error {
 }
 // SendVerifyCodeAsync 异步发送邮箱验证码并返回倒计时
-func (s *AuthService) SendVerifyCodeAsync(ctx context.Context, email string) (*SendVerifyCodeResult, error) {
+// clientIP 用于检查同一 IP 注册账号数量限制
-	logger.LegacyPrintf("service.auth", "[Auth] SendVerifyCodeAsync called for email: %s", email)
+func (s *AuthService) SendVerifyCodeAsync(ctx context.Context, email string, clientIP string) (*SendVerifyCodeResult, error) {
 	logger.LegacyPrintf("service.auth", "[Auth] SendVerifyCodeAsync called for email: %s, ip: %s", email, clientIP)
 	// 检查是否开放注册（默认关闭）
 	if s.settingService == nil || !s.settingService.IsRegistrationEnabled(ctx) {
@@ -338,6 +339,28 @@ func (s *AuthService) SendVerifyCodeAsync(ctx context.Context, email string) (*S
 		return nil, ErrEmailExists
 	}
 	// 检查 Gmail 别名邮箱（含 + 或本地部分含 . 的），静默假装发送成功
 	if isGmailAliasEmail(email) {
 		logger.LegacyPrintf("service.auth", "[Auth] Gmail alias email detected: %s, returning fake success", email)
 		return &SendVerifyCodeResult{
 			Countdown: 60,
 		}, nil
 	}
 	// 检查同一 IP 注册账号数量（>=2 则静默假装发送成功，不实际发送）
 	if clientIP != "" {
 		ipRegCount, err := s.userRepo.CountByRegistrationIP(ctx, clientIP)
 		if err != nil {
 			logger.LegacyPrintf("service.auth", "[Auth] Failed to count users by registration IP: %v", err)
 			// 查询失败不阻塞，继续正常流程
 		} else if ipRegCount >= 2 {
 			logger.LegacyPrintf("service.auth", "[Auth] IP %s already registered %d accounts, returning fake success", clientIP, ipRegCount)
 			return &SendVerifyCodeResult{
 				Countdown: 60,
 			}, nil
 		}
 	}
 	// 检查邮件队列服务是否配置
 	if s.emailQueueService == nil {
 		logger.LegacyPrintf("service.auth", "%s", "[Auth] Email queue service not configured")
@@ -1092,6 +1115,22 @@ func isReservedEmail(email string) bool {
 		strings.HasSuffix(normalized, WeChatConnectSyntheticEmailDomain)
 }
 // isGmailAliasEmail 检测 Gmail 别名邮箱
 // Gmail 支持两种别名方式：
 // 1. 加号别名：user+anything@gmail.com -> user@gmail.com
 // 2. 点号忽略：u.s.e.r@gmail.com -> user@gmail.com
 // 为防止滥用注册，检测到这类邮箱时返回 true
 func isGmailAliasEmail(email string) bool {
 	normalized := strings.ToLower(strings.TrimSpace(email))
 	if !strings.HasSuffix(normalized, "@gmail.com") {
 		return false
 	}
 	// 提取本地部分（@前面的部分）
 	localPart := strings.TrimSuffix(normalized, "@gmail.com")
 	// 检查是否包含 + 或 .
 	return strings.Contains(localPart, "+") || strings.Contains(localPart, ".")
 }
 // GenerateToken 生成JWT access token
 // 使用新的access_token_expire_minutes配置项（如果配置了），否则回退到expire_hour
 func (s *AuthService) GenerateToken(user *User) (string, error) {
@@ -231,6 +231,10 @@ func (r *contentModerationTestUserRepo) DisableTotp(ctx context.Context, userID
 	panic("unexpected DisableTotp call")
 }
 func (r *contentModerationTestUserRepo) CountByRegistrationIP(ctx context.Context, ip string) (int, error) {
 	return 0, nil
 }
 type contentModerationTestAuthCacheInvalidator struct {
 	userIDs []int64
 }
@@ -111,6 +111,9 @@ type UserRepository interface {
 	UpdateTotpSecret(ctx context.Context, userID int64, encryptedSecret *string) error
 	EnableTotp(ctx context.Context, userID int64) error
 	DisableTotp(ctx context.Context, userID int64) error
 	// CountByRegistrationIP 统计指定 IP 注册的用户数量
 	CountByRegistrationIP(ctx context.Context, ip string) (int, error)
 }
 type UserAuthIdentityRecord struct {
Author	SHA1	Message	Date
kone	b10d87e77f	chore: prepare v0.1.145 release Release Image / image (push) Successful in 2m30s Details	2026-06-06 04:30:05 +08:00
kone	4eb9877082	fix: use Gitea API for version check instead of GitHub	2026-06-06 04:29:48 +08:00
kone	88ccd0ecbb	feat: add registration abuse prevention - Silently block verification code for IPs with 2+ registered accounts - Silently block Gmail alias emails (containing + or . in local part) - Add CountByRegistrationIP to UserRepository interface - Pass client IP to SendVerifyCodeAsync for abuse detection Both checks return fake success to prevent enumeration attacks.	2026-06-06 04:07:07 +08:00