feat: [auth] improve powerjob self login security

This commit is contained in:
tjq 2023-04-16 16:53:50 +08:00
parent 9bf9746397
commit a1edf3dbd5
3 changed files with 14 additions and 6 deletions

View File

@ -33,4 +33,9 @@ public class DigestUtils {
}
return result.toString();
}
public static String rePassword(String password, String salt) {
String f1 = String.format("%s_%s_z", salt, password);
return String.format("%s_%s_b", salt, md5(f1));
}
}

View File

@ -68,7 +68,7 @@ public class PowerJobSelfLoginService implements BizLoginService {
final UserInfoDO dbUser = userInfoOpt.get();
if (s(username, password).equals(dbUser.getPassword())) {
if (DigestUtils.rePassword(password, username).equals(dbUser.getPassword())) {
BizUser bizUser = new BizUser();
bizUser.setUsername(username);
return bizUser;
@ -77,9 +77,4 @@ public class PowerJobSelfLoginService implements BizLoginService {
Loggers.WEB.debug("[DefaultBizLoginService] user[{}]'s password is incorrect, login failed!", username);
throw new PowerJobException("password is incorrect");
}
private static String s(String username, String password) {
String f1 = String.format("%s_%s_z", username, password);
return String.format("%s_%s_b", username, DigestUtils.md5(f1));
}
}

View File

@ -1,5 +1,6 @@
package tech.powerjob.server.core.service;
import tech.powerjob.common.utils.DigestUtils;
import tech.powerjob.server.persistence.remote.model.UserInfoDO;
import tech.powerjob.server.persistence.remote.repository.UserInfoRepository;
import com.google.common.base.Splitter;
@ -32,6 +33,13 @@ public class UserService {
public void save(UserInfoDO userInfoDO) {
userInfoDO.setGmtCreate(new Date());
userInfoDO.setGmtModified(userInfoDO.getGmtCreate());
// 二次加密密码
final String password = userInfoDO.getPassword();
if (StringUtils.isNotEmpty(password)) {
userInfoDO.setPassword(DigestUtils.rePassword(password, userInfoDO.getUsername()));
}
userInfoRepository.saveAndFlush(userInfoDO);
}