feat(auth): 密码重置邮件队列化与限流优化

- 邮件发送改为异步队列处理，避免并发导致发送失败 - 新增 Email 维度限流（30秒冷却期），防止邮件轰炸 - Token 验证使用常量时间比较，防止时序攻击 - 重构代码消除冗余，提取公共验证逻辑
2026-01-24 22:33:45 +08:00
parent 43a1031e38
commit 9cc8352593
25 changed files with 1497 additions and 114 deletions
--- a/frontend/src/views/admin/SettingsView.vue
+++ b/frontend/src/views/admin/SettingsView.vue
@@ -338,6 +338,22 @@
              </div>
              <Toggle v-model="form.promo_code_enabled" />
            </div>
+
+            <!-- Password Reset - Only show when email verification is enabled -->
+            <div
+              v-if="form.email_verify_enabled"
+              class="flex items-center justify-between border-t border-gray-100 pt-4 dark:border-dark-700"
+            >
+              <div>
+                <label class="font-medium text-gray-900 dark:text-white">{{
+                  t('admin.settings.registration.passwordReset')
+                }}</label>
+                <p class="text-sm text-gray-500 dark:text-gray-400">
+                  {{ t('admin.settings.registration.passwordResetHint') }}
+                </p>
+              </div>
+              <Toggle v-model="form.password_reset_enabled" />
+            </div>
          </div>
        </div>

@@ -1029,6 +1045,7 @@ const form = reactive<SettingsForm>({
  registration_enabled: true,
  email_verify_enabled: false,
  promo_code_enabled: true,
+  password_reset_enabled: false,
  default_balance: 0,
  default_concurrency: 1,
  site_name: 'Sub2API',
@@ -1152,6 +1169,7 @@ async function saveSettings() {
      registration_enabled: form.registration_enabled,
      email_verify_enabled: form.email_verify_enabled,
      promo_code_enabled: form.promo_code_enabled,
+      password_reset_enabled: form.password_reset_enabled,
      default_balance: form.default_balance,
      default_concurrency: form.default_concurrency,
      site_name: form.site_name,