Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

访问授权码输入错误 3 次后加入验证码 #5429

Closed
wkmyws opened this issue Jul 15, 2022 · 2 comments
Closed

访问授权码输入错误 3 次后加入验证码 #5429

wkmyws opened this issue Jul 15, 2022 · 2 comments
Assignees
@88250 @Vanessa219
Labels
Enhancement
Milestone
2.1.0

Comments

@wkmyws
Copy link

wkmyws commented Jul 15, 2022

在什么情况下你需要该特性?In what scenarios do you need this feature?

将笔记部署在公网时,多次输入错误的授权码后仍然可以继续输入尝试,有通过字典暴力破解授权码的风险

描述可能的最优解决方案 Describe the optimal solution

多次输入授权码错误后,启用验证码进行机器人检测

描述候选的解决方案 Describe the candidate solution

No response

其他信息 Other information

No response
@88250 88250 self-assigned this Jul 16, 2022
@88250 88250 changed the title 部署在公网下的授权码安全问题 访问授权码输入错误 3 次后加入验证码 Jul 16, 2022
@88250 88250 added this to the 2.1.0 milestone Jul 16, 2022
88250 added a commit that referenced this issue Jul 16, 2022
@88250
🎨 访问授权码输入错误 3 次后加入验证码 #5429
b4208bb
88250 added a commit that referenced this issue Jul 16, 2022
@88250
🎨 访问授权码输入错误 3 次后加入验证码 #5429
091214f
Vanessa219 added a commit that referenced this issue Jul 16, 2022
@Vanessa219
🎨 #5429
ccd17df
Vanessa219 added a commit that referenced this issue Jul 16, 2022
@Vanessa219
🎨 #5429
724ab74
88250 added a commit that referenced this issue Jul 16, 2022
@88250
🎨 访问授权码输入错误 3 次后加入验证码 #5429
6ba35f0
Vanessa219 added a commit that referenced this issue Jul 16, 2022
@Vanessa219
🎨 #5429
2fad03e
Vanessa219 added a commit that referenced this issue Jul 16, 2022
@Vanessa219
🎨 #5429
492d6be
88250 added a commit that referenced this issue Jul 16, 2022
@88250
🎨 访问授权码输入错误 3 次后加入验证码 #5429
e675bc2
88250 added a commit that referenced this issue Jul 16, 2022
@88250
🎨 访问授权码输入错误 3 次后加入验证码 #5429
a32e2eb
@88250 88250 closed this as completed Jul 16, 2022
@wkmyws
Copy link
Author

wkmyws commented Jul 18, 2022

十分感谢新加入的验证码功能,连续三次输入错误的密码后,确实出现了验证码的选项。
但我发现触发验证码的条件是写在cookie里的,
当我把本地的cookie (name="siyuan") 手动删除后,就可以不用输验证码了
那么这个验证码就失去了其意义。。。
我觉得触发验证码的逻辑或许应该写在服务端,服务端记录一个登录次数,当错误的登录次数超过三次时,则强制要求任何一个客户端的登录都需要验证码,直到成功登录为止。

@88250 88250 mentioned this issue Jul 18, 2022
Closed
@88250
Copy link
Member

88250 commented Jul 18, 2022

@wkmyws 感谢指出问题,下个版改进 #5452

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@88250 88250

@Vanessa219 Vanessa219

Labels
Enhancement
Projects
None yet
Milestone
2.1.0
Development

No branches or pull requests
3 participants
@88250 @Vanessa219 @wkmyws