忘记密码页面新增请求频率限制，防止暴力破解

zmister2016 · Oct 27, 2021 · ea78e8a · ea78e8a
1 parent bcd7d38
commit ea78e8a
Showing 1 changed file with 28 additions and 4 deletions.
diff --git a/app_admin/views.py b/app_admin/views.py
@@ -196,24 +196,48 @@ def forget_pwd(request):
         new_pwd_confirm = request.POST.get('confirm_password')
         # 查询验证码和邮箱是否匹配
         try:
+            # 验证重试次数
+            if 'ForgetPwdEmailCodeVerifyLock' not in request.session.keys():
+                request.session['ForgetPwdEmailCodeVerifyNum'] = 1 # 重试次数
+                request.session['ForgetPwdEmailCodeVerifyLock'] = False # 是否锁定
+                request.session['ForgetPwdEmailCodeVerifyTime'] = datetime.datetime.now().timestamp() # 解除锁定时间
+            verify_num = request.session['ForgetPwdEmailCodeVerifyNum']
+            if verify_num > 5:
+                request.session['ForgetPwdEmailCodeVerifyLock'] = True
+                request.session['ForgetPwdEmailCodeVerifyTime'] = (datetime.datetime.now() + datetime.timedelta(minutes=10)).timestamp()
+            verify_lock = request.session['ForgetPwdEmailCodeVerifyLock']
+            verify_time = request.session['ForgetPwdEmailCodeVerifyTime']
+
+            # 验证是否锁定
+            # print(datetime.datetime.now().timestamp(),verify_time)
+            if verify_lock is True and datetime.datetime.now().timestamp() < verify_time:
+                errormsg = _("操作过于频繁，请10分钟后再试！")
+                request.session['ForgetPwdEmailCodeVerifyNum'] = 0  # 重试次数清零
+                return render(request, 'forget_pwd.html', locals())
+            # 比对验证码
             data = EmaiVerificationCode.objects.get(email_name=email,verification_code=vcode,verification_type='忘记密码')
             expire_time = data.expire_time
             if expire_time > datetime.datetime.now():
                 user = User.objects.get(email=email)
                 user.set_password(new_pwd)
                 user.save()
                 errormsg = _("修改密码成功，请返回登录！")
+                request.session['ForgetPwdEmailCodeVerifyNum'] = 0 # 重试次数
+                request.session['ForgetPwdEmailCodeVerifyLock'] = False # 是否锁定
+                request.session['ForgetPwdEmailCodeVerifyTime'] = datetime.datetime.now().timestamp() # 解除锁定时间
                 return render(request, 'forget_pwd.html', locals())
             else:
-                errormsg = _("验证码已过期")
+                errormsg = _("验证码已过期！")
                 return render(request, 'forget_pwd.html', locals())
         except ObjectDoesNotExist:
-            logger.error(_("邮箱不存在：{}".format(email)))
-            errormsg = _("验证码或邮箱错误")
+            logger.error(_("验证码或邮箱不存在：{}".format(email)))
+            errormsg = _("验证码或邮箱错误！")
+            request.session['ForgetPwdEmailCodeVerifyNum'] += 1
             return render(request, 'forget_pwd.html', locals())
         except Exception as e:
             logger.exception("修改密码异常")
-            errormsg = _("验证码或邮箱错误")
+            errormsg = _("验证码或邮箱错误！")
+            request.session['ForgetPwdEmailCodeVerifyNum'] += 1
             return render(request,'forget_pwd.html',locals())