忘记密码页面新增请求频率限制，防止暴力破解

2021-10-27 17:01:33 +08:00 · 2021-10-27 17:01:33 +08:00 · ea78e8abdd
commit ea78e8abdd
parent bcd7d38b1c
1 changed files with 28 additions and 4 deletions
--- a/app_admin/views.py
+++ b/app_admin/views.py
@ -196,6 +196,25 @@ def forget_pwd(request):
        new_pwd_confirm = request.POST.get('confirm_password')
        # 查询验证码和邮箱是否匹配
        try:
+            # 验证重试次数
+            if 'ForgetPwdEmailCodeVerifyLock' not in request.session.keys():
+                request.session['ForgetPwdEmailCodeVerifyNum'] = 1 # 重试次数
+                request.session['ForgetPwdEmailCodeVerifyLock'] = False # 是否锁定
+                request.session['ForgetPwdEmailCodeVerifyTime'] = datetime.datetime.now().timestamp() # 解除锁定时间
+            verify_num = request.session['ForgetPwdEmailCodeVerifyNum']
+            if verify_num > 5:
+                request.session['ForgetPwdEmailCodeVerifyLock'] = True
+                request.session['ForgetPwdEmailCodeVerifyTime'] = (datetime.datetime.now() + datetime.timedelta(minutes=10)).timestamp()
+            verify_lock = request.session['ForgetPwdEmailCodeVerifyLock']
+            verify_time = request.session['ForgetPwdEmailCodeVerifyTime']
+
+            # 验证是否锁定
+            # print(datetime.datetime.now().timestamp(),verify_time)
+            if verify_lock is True and datetime.datetime.now().timestamp() < verify_time:
+                errormsg = _("操作过于频繁，请10分钟后再试！")
+                request.session['ForgetPwdEmailCodeVerifyNum'] = 0  # 重试次数清零
+                return render(request, 'forget_pwd.html', locals())
+            # 比对验证码
            data = EmaiVerificationCode.objects.get(email_name=email,verification_code=vcode,verification_type='忘记密码')
            expire_time = data.expire_time
            if expire_time > datetime.datetime.now():
@ -203,17 +222,22 @@ def forget_pwd(request):
                user.set_password(new_pwd)
                user.save()
                errormsg = _("修改密码成功，请返回登录！")
+                request.session['ForgetPwdEmailCodeVerifyNum'] = 0 # 重试次数
+                request.session['ForgetPwdEmailCodeVerifyLock'] = False # 是否锁定
+                request.session['ForgetPwdEmailCodeVerifyTime'] = datetime.datetime.now().timestamp() # 解除锁定时间
                return render(request, 'forget_pwd.html', locals())
            else:
-                errormsg = _("验证码已过期")
+                errormsg = _("验证码已过期！")
                return render(request, 'forget_pwd.html', locals())
        except ObjectDoesNotExist:
-            logger.error(_("邮箱不存在：{}".format(email)))
-            errormsg = _("验证码或邮箱错误")
+            logger.error(_("验证码或邮箱不存在：{}".format(email)))
+            errormsg = _("验证码或邮箱错误！")
+            request.session['ForgetPwdEmailCodeVerifyNum'] += 1
            return render(request, 'forget_pwd.html', locals())
        except Exception as e:
            logger.exception("修改密码异常")
-            errormsg = _("验证码或邮箱错误")
+            errormsg = _("验证码或邮箱错误！")
+            request.session['ForgetPwdEmailCodeVerifyNum'] += 1
            return render(request,'forget_pwd.html',locals())