add signature check for visiting "reset" page

2020-03-30 10:01:37 +08:00 · 2020-03-30 10:01:37 +08:00 · b7ac9bbfa1
commit b7ac9bbfa1
parent 9e87f42dd9
2 changed files with 16 additions and 4 deletions
--- a/app/Http/Controllers/AuthController.php
+++ b/app/Http/Controllers/AuthController.php
@ -279,8 +279,10 @@ class AuthController extends Controller
        return json(trans('auth.forgot.success'), 0);
    }

-    public function reset($uid)
+    public function reset(Request $request, $uid)
    {
+        abort_unless($request->hasValidSignature(false), 403, trans('auth.reset.invalid'));
+
        return view('auth.reset')->with('user', User::find($uid));
    }

--- a/tests/HttpTest/ControllersTest/AuthControllerTest.php
+++ b/tests/HttpTest/ControllersTest/AuthControllerTest.php
@ -602,10 +602,20 @@ class AuthControllerTest extends TestCase
    public function testReset()
    {
        $user = factory(User::class)->create();
+        $url = URL::temporarySignedRoute(
+            'auth.reset',
+            now()->addHour(),
+            ['uid' => $user->uid],
+            false
+        );
+        $this->get($url)->assertSuccessful();

-        $this->get(
-            URL::temporarySignedRoute('auth.reset', now()->addHour(), ['uid' => $user->uid])
-        )->assertSuccessful();
+        $url = URL::temporarySignedRoute(
+            'auth.reset',
+            now()->addHour(),
+            ['uid' => $user->uid]
+        );
+        $this->get($url)->assertForbidden();
    }

    public function testHandleReset()