diff --git a/application/api/controller/Ems.php b/application/api/controller/Ems.php
index 6b76949c..194c4a0d 100644
--- a/application/api/controller/Ems.php
+++ b/application/api/controller/Ems.php
@@ -30,6 +30,7 @@ class Ems extends Api
     public function send()
     {
         $email = $this->request->post("email");
+        $captcha = $this->request->post("captcha");
         $event = $this->request->post("event");
         $event = $event ? $event : 'register';
 
diff --git a/application/api/controller/Sms.php b/application/api/controller/Sms.php
index a5010cb4..10a5421b 100644
--- a/application/api/controller/Sms.php
+++ b/application/api/controller/Sms.php
@@ -15,18 +15,39 @@ class Sms extends Api
     protected $noNeedLogin = '*';
     protected $noNeedRight = '*';
 
+    public function _initialize()
+    {
+        parent::_initialize();
+        if (!$this->request->isPost()) {
+            $this->error(__('请求错误'));
+        }
+    }
+
     /**
      * 发送验证码
      *
      * @ApiMethod (POST)
      * @ApiParams (name="mobile", type="string", required=true, description="手机号")
      * @ApiParams (name="event", type="string", required=true, description="事件名称")
+     * @ApiParams (name="type", type="string", required=false, description="验证类型，auto为自动验证，system为系统验证码")
+     * @ApiParams (name="source_id", type="string", required=false, description="来源ID")
      */
     public function send()
     {
         $mobile = $this->request->post("mobile");
+        $captcha = $this->request->post("captcha");
         $event = $this->request->post("event");
-        $event = $event ? $event : 'register';
+        $event = $event ?: 'register';
+        $type = $this->request->post("type", 'auto');
+        $source_id = $this->request->post("source_id", '');
+
+        //发送前验证码
+        if (config('fastadmin.user_api_captcha')) {
+            $valid = $type === 'auto' ? \think\Validate::is($captcha, 'captcha') : captcha_check($captcha, $source_id);
+            if (!$valid) {
+                $this->error("验证码不正确");
+            }
+        }
 
         if (!$mobile || !\think\Validate::regex($mobile, "^1\d{10}$")) {
             $this->error(__('手机号不正确'));
@@ -75,7 +96,7 @@ class Sms extends Api
     {
         $mobile = $this->request->post("mobile");
         $event = $this->request->post("event");
-        $event = $event ? $event : 'register';
+        $event = $event ?: 'register';
         $captcha = $this->request->post("captcha");
 
         if (!$mobile || !\think\Validate::regex($mobile, "^1\d{10}$")) {
diff --git a/application/api/controller/Token.php b/application/api/controller/Token.php
index 75b280a1..2fac857c 100644
--- a/application/api/controller/Token.php
+++ b/application/api/controller/Token.php
@@ -13,6 +13,14 @@ class Token extends Api
     protected $noNeedLogin = [];
     protected $noNeedRight = '*';
 
+    public function _initialize()
+    {
+        parent::_initialize();
+        if (!$this->request->isPost()) {
+            $this->error(__('请求错误'));
+        }
+    }
+
     /**
      * 检测Token是否过期
      *
diff --git a/application/api/controller/User.php b/application/api/controller/User.php
index d2690167..b74b9c5c 100644
--- a/application/api/controller/User.php
+++ b/application/api/controller/User.php
@@ -25,6 +25,10 @@ class User extends Api
             $this->error(__('User center already closed'));
         }
 
+        if (!$this->request->isPost() && $this->request->action() !== 'index') {
+            $this->error(__('请求错误'));
+        }
+
     }
 
     /**
@@ -68,7 +72,7 @@ class User extends Api
     public function mobilelogin()
     {
         $mobile = $this->request->post('mobile');
-        $captcha = $this->request->post('captcha');
+        $captcha = $this->request->post('smscode', $this->request->post('captcha'));
         if (!$mobile || !$captcha) {
             $this->error(__('Invalid parameters'));
         }
@@ -87,6 +91,7 @@ class User extends Api
             $ret = $this->auth->direct($user->id);
         } else {
             $ret = $this->auth->register($mobile, Random::alnum(), '', $mobile, []);
+            $this->auth->getUser()->save(['verification' => ['email' => 0, 'mobile' => 1]]);
         }
         if ($ret) {
             Sms::flush($mobile, 'mobilelogin');
@@ -109,6 +114,10 @@ class User extends Api
      */
     public function register()
     {
+        if (!config('fastadmin.user_register')) {
+            $this->error(__('User register already closed'));
+        }
+
         $username = $this->request->post('username');
         $password = $this->request->post('password');
         $email = $this->request->post('email');
@@ -129,6 +138,7 @@ class User extends Api
         }
         $ret = $this->auth->register($username, $password, $email, $mobile, []);
         if ($ret) {
+            $this->auth->getUser()->save(['verification' => ['email' => 0, 'mobile' => 1]]);
             $data = ['userinfo' => $this->auth->getUserinfo()];
             $this->success(__('Sign up successful'), $data);
         } else {
diff --git a/application/api/controller/Validate.php b/application/api/controller/Validate.php
index 6538f8d8..798473c6 100644
--- a/application/api/controller/Validate.php
+++ b/application/api/controller/Validate.php
@@ -17,6 +17,9 @@ class Validate extends Api
     public function _initialize()
     {
         parent::_initialize();
+        if (!$this->request->isPost()) {
+            $this->error(__('请求错误'));
+        }
     }
 
     /**