wzj/Mrdoc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

忘记密码页面新增请求频率限制,防止暴力破解

Browse Source
This commit is contained in:
zmister 2021-10-27 17:01:33 +08:00
parent bcd7d38b1c
commit ea78e8abdd
1 changed files with 28 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
app_admin/views.py
View File

@ -196,6 +196,25 @@ def forget_pwd(request):
new_pwd_confirm = request.POST.get('confirm_password') new_pwd_confirm = request.POST.get('confirm_password')
# 查询验证码和邮箱是否匹配 # 查询验证码和邮箱是否匹配
try: try:
# 验证重试次数
if 'ForgetPwdEmailCodeVerifyLock' not in request.session.keys():
request.session['ForgetPwdEmailCodeVerifyNum'] = 1 # 重试次数
request.session['ForgetPwdEmailCodeVerifyLock'] = False # 是否锁定
request.session['ForgetPwdEmailCodeVerifyTime'] = datetime.datetime.now().timestamp() # 解除锁定时间
verify_num = request.session['ForgetPwdEmailCodeVerifyNum']
if verify_num > 5:
request.session['ForgetPwdEmailCodeVerifyLock'] = True
request.session['ForgetPwdEmailCodeVerifyTime'] = (datetime.datetime.now() + datetime.timedelta(minutes=10)).timestamp()
verify_lock = request.session['ForgetPwdEmailCodeVerifyLock']
verify_time = request.session['ForgetPwdEmailCodeVerifyTime']
# 验证是否锁定
# print(datetime.datetime.now().timestamp(),verify_time)
if verify_lock is True and datetime.datetime.now().timestamp() < verify_time:
errormsg = _("操作过于频繁请10分钟后再试")
request.session['ForgetPwdEmailCodeVerifyNum'] = 0 # 重试次数清零
return render(request, 'forget_pwd.html', locals())
# 比对验证码
data = EmaiVerificationCode.objects.get(email_name=email,verification_code=vcode,verification_type='忘记密码') data = EmaiVerificationCode.objects.get(email_name=email,verification_code=vcode,verification_type='忘记密码')
expire_time = data.expire_time expire_time = data.expire_time
if expire_time > datetime.datetime.now(): if expire_time > datetime.datetime.now():
@ -203,17 +222,22 @@ def forget_pwd(request):
user.set_password(new_pwd) user.set_password(new_pwd)
user.save() user.save()
errormsg = _("修改密码成功,请返回登录!") errormsg = _("修改密码成功,请返回登录!")
request.session['ForgetPwdEmailCodeVerifyNum'] = 0 # 重试次数
request.session['ForgetPwdEmailCodeVerifyLock'] = False # 是否锁定
request.session['ForgetPwdEmailCodeVerifyTime'] = datetime.datetime.now().timestamp() # 解除锁定时间
return render(request, 'forget_pwd.html', locals()) return render(request, 'forget_pwd.html', locals())
else: else:
errormsg = _("验证码已过期") errormsg = _("验证码已过期")
return render(request, 'forget_pwd.html', locals()) return render(request, 'forget_pwd.html', locals())
except ObjectDoesNotExist: except ObjectDoesNotExist:
logger.error(_("邮箱不存在:{}".format(email))) logger.error(_("验证码或邮箱不存在:{}".format(email)))
errormsg = _("验证码或邮箱错误") errormsg = _("验证码或邮箱错误!")
request.session['ForgetPwdEmailCodeVerifyNum'] += 1
return render(request, 'forget_pwd.html', locals()) return render(request, 'forget_pwd.html', locals())
except Exception as e: except Exception as e:
logger.exception("修改密码异常") logger.exception("修改密码异常")
errormsg = _("验证码或邮箱错误") errormsg = _("验证码或邮箱错误!")
request.session['ForgetPwdEmailCodeVerifyNum'] += 1
return render(request,'forget_pwd.html',locals()) return render(request,'forget_pwd.html',locals())