fix: update password validation and improve login error messages (#1523)

* fix: update password validation and improve login error messages * refactor: change variable declarations to constants for better clarity
2025-10-20 15:33:46 +08:00 · 2025-08-07 21:04:12 +08:00
parent 6836982e3b
commit ed5278a0f8
4 changed files with 13 additions and 15 deletions
--- a/config/config.go
+++ b/config/config.go
@ -207,7 +207,7 @@ func (conf *Config) ResetPassword(newPassword string) {
 func (conf *Config) CheckPassword(newPassword string) (hashedPwd string, err error) {
 	var minEntropyBits float64 = 30
 	if conf.NotAllowWanAccess {
-		minEntropyBits = 20
+		minEntropyBits = 25
 	}
 	err = passwordvalidator.Validate(newPassword, minEntropyBits)
 	if err != nil {
--- a/go.mod
+++ b/go.mod
@ -1,6 +1,6 @@
 module github.com/jeessy2/ddns-go/v6
-go 1.23.6
+go 1.23.12
 require (
 	github.com/kardianos/service v1.2.4
--- a/util/messages.go
+++ b/util/messages.go
@ -110,7 +110,7 @@ func init() {
 	message.SetString(language.English, "%q 帐号密码不正确", "%q username or password is incorrect")
 	message.SetString(language.English, "%q 登录成功", "%q login successfully")
 	message.SetString(language.English, "用户名或密码错误", "Username or password is incorrect")
-	message.SetString(language.English, "登录失败次数过多，请等待 %d 分钟后再试", "Too many login failures, please try again after %d minutes")
+	message.SetString(language.English, "登录失败次数过多，请稍后再试", "Too many login failures, please try again later")
 	message.SetString(language.English, "用户名 %s 的密码已重置成功! 请重启ddns-go", "The password of username %s has been reset successfully! Please restart ddns-go")
 	message.SetString(language.English, "需在 %s 之前完成用户名密码设置,请重启ddns-go", "Need to complete the username and password setting before %s, please restart ddns-go")
 	message.SetString(language.English, "配置文件 %s 不存在, 可通过-c指定配置文件", "Config file %s does not exist, you can specify the configuration file through -c")
--- a/web/login.go
+++ b/web/login.go
@ -17,7 +17,7 @@ import (
 var loginEmbedFile embed.FS
 // CookieName cookie name
-var cookieName = "token"
+const cookieName = "token"
 // CookieInSystem only one cookie
 var cookieInSystem = &http.Cookie{}
@ -26,7 +26,10 @@ var cookieInSystem = &http.Cookie{}
 var startTime = time.Now()
 // 保存限制时间
-var saveLimit = time.Duration(30 * time.Minute)
+const saveLimit = time.Duration(30) * time.Minute
 // 登录失败锁定时间
 const loginFailLockDuration = time.Duration(30) * time.Minute
 // 登录检测
 type loginDetect struct {
@ -64,8 +67,8 @@ func LoginFunc(w http.ResponseWriter, r *http.Request) {
 	util.InitLogLang(accept)
 	if ld.failedTimes >= 5 {
-		lockMinute := loginUnlock()
+		loginUnlock()
-		returnError(w, util.LogStr("登录失败次数过多，请等待 %d 分钟后再试", lockMinute))
+		returnError(w, util.LogStr("登录失败次数过多，请稍后再试"))
 		return
 	}
@ -147,14 +150,10 @@ func LoginFunc(w http.ResponseWriter, r *http.Request) {
 	returnError(w, util.LogStr("用户名或密码错误"))
 }
-// loginUnlock login unlock, return minute
+// loginUnlock login unlock, reset failed login attempts
-func loginUnlock() (minute uint32) {
+func loginUnlock() {
 	ld.failedTimes = ld.failedTimes + 1
-	x := ld.failedTimes
+	ld.ticker.Reset(loginFailLockDuration)
 	if x > 1440 {
 		x = 1440 // 最多等待一天
 	}
 	ld.ticker.Reset(time.Duration(x) * time.Minute)
 	go func(ticker *time.Ticker) {
 		for range ticker.C {
@ -163,5 +162,4 @@ func loginUnlock() (minute uint32) {
 		}
 	}(ld.ticker)
 	return x
 }