From eb4d7ab8eb71ee6f434a65c6f80c54fe1557f4e0 Mon Sep 17 00:00:00 2001
From: tjq <tengjiqi@gmail.com>
Date: Sat, 10 Aug 2024 14:42:09 +0800
Subject: [PATCH] feat: app password use ciphertext

---
 .../tech/powerjob/client/PowerJobClient.java  |  2 +
 .../client/module/AppAuthRequest.java         |  6 ++
 .../impl/AppAuthClusterRequestService.java    |  2 +
 .../client/test/ClientInitializer.java        |  2 +-
 .../powerjob/common/enums/EncryptType.java    | 22 +++++
 .../powerjob/common/enums/ErrorCodes.java     |  1 -
 .../powerjob/server/common/utils/AESUtil.java | 71 ++++++++++++++++
 .../server/common/utils/AESUtilTest.java      | 28 +++++++
 .../server/core/service/AppInfoService.java   | 33 ++++++--
 .../core/service/impl/AppInfoServiceImpl.java | 84 +++++++++++++++----
 .../server/openapi/OpenAPIController.java     |  2 +-
 .../security/OpenApiSecurityServiceImpl.java  | 31 ++-----
 .../web/controller/AppInfoController.java     | 29 ++++---
 .../server/web/request/AppAssertRequest.java  |  2 +
 14 files changed, 250 insertions(+), 65 deletions(-)
 create mode 100644 powerjob-common/src/main/java/tech/powerjob/common/enums/EncryptType.java
 create mode 100644 powerjob-server/powerjob-server-common/src/main/java/tech/powerjob/server/common/utils/AESUtil.java
 create mode 100644 powerjob-server/powerjob-server-common/src/test/java/tech/powerjob/server/common/utils/AESUtilTest.java

diff --git a/powerjob-client/src/main/java/tech/powerjob/client/PowerJobClient.java b/powerjob-client/src/main/java/tech/powerjob/client/PowerJobClient.java
index bd0c77b6..80c18695 100644
--- a/powerjob-client/src/main/java/tech/powerjob/client/PowerJobClient.java
+++ b/powerjob-client/src/main/java/tech/powerjob/client/PowerJobClient.java
@@ -11,6 +11,7 @@ import tech.powerjob.client.service.PowerRequestBody;
 import tech.powerjob.client.service.RequestService;
 import tech.powerjob.client.service.impl.ClusterRequestServiceOkHttp3Impl;
 import tech.powerjob.common.OpenAPIConstant;
+import tech.powerjob.common.enums.EncryptType;
 import tech.powerjob.common.enums.InstanceStatus;
 import tech.powerjob.common.exception.PowerJobException;
 import tech.powerjob.common.request.http.SaveJobInfoRequest;
@@ -53,6 +54,7 @@ public class PowerJobClient implements IPowerJobClient {
         AppAuthRequest appAuthRequest = new AppAuthRequest();
         appAuthRequest.setAppName(appName);
         appAuthRequest.setEncryptedPassword(DigestUtils.md5(config.getPassword()));
+        appAuthRequest.setEncryptType(EncryptType.MD5.getCode());
 
         String assertResponse = requestService.request(OpenAPIConstant.AUTH_APP, PowerRequestBody.newJsonRequestBody(appAuthRequest));
 
diff --git a/powerjob-client/src/main/java/tech/powerjob/client/module/AppAuthRequest.java b/powerjob-client/src/main/java/tech/powerjob/client/module/AppAuthRequest.java
index 66c8a2b6..0e8c84dc 100644
--- a/powerjob-client/src/main/java/tech/powerjob/client/module/AppAuthRequest.java
+++ b/powerjob-client/src/main/java/tech/powerjob/client/module/AppAuthRequest.java
@@ -26,6 +26,12 @@ public class AppAuthRequest implements Serializable {
      * 加密后密码
      */
     private String encryptedPassword;
+
+    /**
+     * 加密类型
+     */
+    private String encryptType;
+
     /**
      * 额外参数，方便开发者传递其他参数
      */
diff --git a/powerjob-client/src/main/java/tech/powerjob/client/service/impl/AppAuthClusterRequestService.java b/powerjob-client/src/main/java/tech/powerjob/client/service/impl/AppAuthClusterRequestService.java
index ef19e499..ee7cff18 100644
--- a/powerjob-client/src/main/java/tech/powerjob/client/service/impl/AppAuthClusterRequestService.java
+++ b/powerjob-client/src/main/java/tech/powerjob/client/service/impl/AppAuthClusterRequestService.java
@@ -10,6 +10,7 @@ import tech.powerjob.client.module.AppAuthResult;
 import tech.powerjob.client.service.HttpResponse;
 import tech.powerjob.client.service.PowerRequestBody;
 import tech.powerjob.common.OpenAPIConstant;
+import tech.powerjob.common.enums.EncryptType;
 import tech.powerjob.common.exception.PowerJobException;
 import tech.powerjob.common.response.ResultDTO;
 import tech.powerjob.common.utils.DigestUtils;
@@ -95,6 +96,7 @@ abstract class AppAuthClusterRequestService extends ClusterRequestService {
         AppAuthRequest appAuthRequest = new AppAuthRequest();
         appAuthRequest.setAppName(config.getAppName());
         appAuthRequest.setEncryptedPassword(DigestUtils.md5(config.getPassword()));
+        appAuthRequest.setEncryptType(EncryptType.MD5.getCode());
         return appAuthRequest;
     }
 }
diff --git a/powerjob-client/src/test/java/tech/powerjob/client/test/ClientInitializer.java b/powerjob-client/src/test/java/tech/powerjob/client/test/ClientInitializer.java
index 8617ac67..d22d8955 100644
--- a/powerjob-client/src/test/java/tech/powerjob/client/test/ClientInitializer.java
+++ b/powerjob-client/src/test/java/tech/powerjob/client/test/ClientInitializer.java
@@ -16,6 +16,6 @@ public class ClientInitializer {
 
     @BeforeAll
     public static void initClient() throws Exception {
-        powerJobClient = new PowerJobClient("127.0.0.1:7700", "powerjob-worker-samples", "powerjob123");
+        powerJobClient = new PowerJobClient("127.0.0.1:7700", "powerjob-worker-samples", "powerjob12345");
     }
 }
diff --git a/powerjob-common/src/main/java/tech/powerjob/common/enums/EncryptType.java b/powerjob-common/src/main/java/tech/powerjob/common/enums/EncryptType.java
new file mode 100644
index 00000000..3ce0eaa8
--- /dev/null
+++ b/powerjob-common/src/main/java/tech/powerjob/common/enums/EncryptType.java
@@ -0,0 +1,22 @@
+package tech.powerjob.common.enums;
+
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+
+/**
+ * 加密类型
+ *
+ * @author tjq
+ * @since 2024/8/10
+ */
+@Getter
+@AllArgsConstructor
+public enum EncryptType {
+
+    NONE("none"),
+
+    MD5("md5")
+    ;
+
+    private final String code;
+}
diff --git a/powerjob-common/src/main/java/tech/powerjob/common/enums/ErrorCodes.java b/powerjob-common/src/main/java/tech/powerjob/common/enums/ErrorCodes.java
index efe05fee..b01035b0 100644
--- a/powerjob-common/src/main/java/tech/powerjob/common/enums/ErrorCodes.java
+++ b/powerjob-common/src/main/java/tech/powerjob/common/enums/ErrorCodes.java
@@ -43,7 +43,6 @@ public enum ErrorCodes {
     /**
      * OPENAPI 错误码号段 -10XX
      */
-    OPEN_API_PASSWORD_ERROR("-1001", "OPEN_API_PASSWORD_ERROR"),
     OPEN_API_AUTH_FAILED("-1002", "OPEN_API_AUTH_FAILED"),
 
     /**
diff --git a/powerjob-server/powerjob-server-common/src/main/java/tech/powerjob/server/common/utils/AESUtil.java b/powerjob-server/powerjob-server-common/src/main/java/tech/powerjob/server/common/utils/AESUtil.java
new file mode 100644
index 00000000..0c3c2153
--- /dev/null
+++ b/powerjob-server/powerjob-server-common/src/main/java/tech/powerjob/server/common/utils/AESUtil.java
@@ -0,0 +1,71 @@
+package tech.powerjob.server.common.utils;
+
+import lombok.SneakyThrows;
+
+import javax.crypto.Cipher;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+import java.nio.charset.StandardCharsets;
+import java.security.SecureRandom;
+import java.util.Base64;
+
+public class AESUtil {
+
+    // 加密算法的名称
+    private static final String ALGORITHM = "AES";
+    // 加密/解密模式和填充方式
+    private static final String TRANSFORMATION = "AES/ECB/PKCS5Padding";
+    // 密钥长度（128、192 或 256 位）
+    private static final int KEY_SIZE = 128;
+
+    /**
+     * 生成密钥
+     *
+     * @param key 密钥的种子，可以是任意字符串
+     * @return 生成的密钥
+     * @throws Exception 异常
+     */
+    private static SecretKeySpec generateKey(String key) throws Exception {
+        KeyGenerator keyGen = KeyGenerator.getInstance(ALGORITHM);
+        SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");
+        secureRandom.setSeed(key.getBytes());
+        keyGen.init(KEY_SIZE, secureRandom);
+        SecretKey secretKey = keyGen.generateKey();
+        return new SecretKeySpec(secretKey.getEncoded(), ALGORITHM);
+    }
+
+    /**
+     * 加密
+     *
+     * @param data 要加密的数据
+     * @param key  密钥
+     * @return 加密后的数据（Base64 编码）
+     * @throws Exception 异常
+     */
+    @SneakyThrows
+    public static String encrypt(String data, String key) {
+        Cipher cipher = Cipher.getInstance(TRANSFORMATION);
+        SecretKeySpec secretKey = generateKey(key);
+        cipher.init(Cipher.ENCRYPT_MODE, secretKey);
+        byte[] encryptedData = cipher.doFinal(data.getBytes(StandardCharsets.UTF_8));
+        return Base64.getEncoder().encodeToString(encryptedData);
+    }
+
+    /**
+     * 解密
+     *
+     * @param encryptedData 要解密的数据（Base64 编码）
+     * @param key           密钥
+     * @return 解密后的数据
+     * @throws Exception 异常
+     */
+    @SneakyThrows
+    public static String decrypt(String encryptedData, String key) {
+        Cipher cipher = Cipher.getInstance(TRANSFORMATION);
+        SecretKeySpec secretKey = generateKey(key);
+        cipher.init(Cipher.DECRYPT_MODE, secretKey);
+        byte[] decryptedData = cipher.doFinal(Base64.getDecoder().decode(encryptedData));
+        return new String(decryptedData, StandardCharsets.UTF_8);
+    }
+}
diff --git a/powerjob-server/powerjob-server-common/src/test/java/tech/powerjob/server/common/utils/AESUtilTest.java b/powerjob-server/powerjob-server-common/src/test/java/tech/powerjob/server/common/utils/AESUtilTest.java
new file mode 100644
index 00000000..7632347c
--- /dev/null
+++ b/powerjob-server/powerjob-server-common/src/test/java/tech/powerjob/server/common/utils/AESUtilTest.java
@@ -0,0 +1,28 @@
+package tech.powerjob.server.common.utils;
+
+import org.junit.jupiter.api.Test;
+
+/**
+ * AESUtilTest
+ *
+ * @author tjq
+ * @since 2024/8/10
+ */
+class AESUtilTest {
+
+    @Test
+    void testAes() throws Exception {
+
+        String sk = "cmxzjzty";
+
+        String txt = "kyksjdfh";
+
+        String encrypt = AESUtil.encrypt(txt, sk);
+        System.out.println(encrypt);
+        String decrypt = AESUtil.decrypt(encrypt, sk);
+        System.out.println(decrypt);
+
+        assert txt.equals(decrypt);
+    }
+
+}
\ No newline at end of file
diff --git a/powerjob-server/powerjob-server-core/src/main/java/tech/powerjob/server/core/service/AppInfoService.java b/powerjob-server/powerjob-server-core/src/main/java/tech/powerjob/server/core/service/AppInfoService.java
index b4a19adc..09821667 100644
--- a/powerjob-server/powerjob-server-core/src/main/java/tech/powerjob/server/core/service/AppInfoService.java
+++ b/powerjob-server/powerjob-server-core/src/main/java/tech/powerjob/server/core/service/AppInfoService.java
@@ -12,20 +12,35 @@ import java.util.Optional;
  */
 public interface AppInfoService {
 
-    /**
-     * 验证 APP 账号密码
-     * @param appName 账号
-     * @param password 原文密码
-     * @return AppId
-     */
-    Long assertApp(String appName, String password);
-
     Optional<AppInfoDO> findByAppName(String appName);
 
     /**
      * 获取 AppInfo（带缓存）
      * @param appId appId
+     * @param useCache cache
      * @return App 信息
      */
-    Optional<AppInfoDO> findByIdWithCache(Long appId);
+    Optional<AppInfoDO> findById(Long appId, boolean useCache);
+
+    void deleteById(Long appId);
+
+    /**
+     * 保存 App
+     * @param appInfo app 信息
+     * @return 保存后结果
+     */
+    AppInfoDO save(AppInfoDO appInfo);
+
+    /**
+     *
+     * @param appName 验证 APP 账号密码
+     * @param password 密码
+     * @param encryptType 密码类型
+     * @return appId
+     */
+    Long assertApp(String appName, String password, String encryptType);
+
+    Long assertApp(AppInfoDO appInfo, String password, String encryptType);
+
+    String fetchOriginAppPassword(AppInfoDO appInfo);
 }
diff --git a/powerjob-server/powerjob-server-core/src/main/java/tech/powerjob/server/core/service/impl/AppInfoServiceImpl.java b/powerjob-server/powerjob-server-core/src/main/java/tech/powerjob/server/core/service/impl/AppInfoServiceImpl.java
index f94d995f..480ad6f9 100644
--- a/powerjob-server/powerjob-server-core/src/main/java/tech/powerjob/server/core/service/impl/AppInfoServiceImpl.java
+++ b/powerjob-server/powerjob-server-core/src/main/java/tech/powerjob/server/core/service/impl/AppInfoServiceImpl.java
@@ -4,13 +4,17 @@ import com.google.common.cache.Cache;
 import com.google.common.cache.CacheBuilder;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.stereotype.Service;
+import tech.powerjob.common.enums.EncryptType;
+import tech.powerjob.common.enums.ErrorCodes;
 import tech.powerjob.common.exception.PowerJobException;
+import tech.powerjob.common.utils.DigestUtils;
+import tech.powerjob.server.common.utils.AESUtil;
 import tech.powerjob.server.core.service.AppInfoService;
 import tech.powerjob.server.persistence.remote.model.AppInfoDO;
 import tech.powerjob.server.persistence.remote.repository.AppInfoRepository;
 
-import java.util.Objects;
 import java.util.Optional;
 import java.util.concurrent.TimeUnit;
 
@@ -33,21 +37,9 @@ public class AppInfoServiceImpl implements AppInfoService {
 
     private final AppInfoRepository appInfoRepository;
 
-    /**
-     * 验证应用访问权限
-     * @param appName 应用名称
-     * @param password 密码
-     * @return 应用ID
-     */
-    @Override
-    public Long assertApp(String appName, String password) {
+    private static final String ENCRYPT_KEY = "ChinaNo.1";
 
-        AppInfoDO appInfo = appInfoRepository.findByAppName(appName).orElseThrow(() -> new PowerJobException("can't find appInfo by appName: " + appName));
-        if (Objects.equals(appInfo.getPassword(), password)) {
-            return appInfo.getId();
-        }
-        throw new PowerJobException("password error!");
-    }
+    private static final String ENCRYPT_PWD_PREFIX = "aes:";
 
     @Override
     public Optional<AppInfoDO> findByAppName(String appName) {
@@ -55,7 +47,10 @@ public class AppInfoServiceImpl implements AppInfoService {
     }
 
     @Override
-    public Optional<AppInfoDO> findByIdWithCache(Long appId) {
+    public Optional<AppInfoDO> findById(Long appId, boolean useCache) {
+        if (!useCache) {
+            return appInfoRepository.findById(appId);
+        }
         try {
             AppInfoDO appInfoDO = appId2AppInfoDO.get(appId, () -> {
                 Optional<AppInfoDO> appInfoOpt = appInfoRepository.findById(appId);
@@ -71,4 +66,61 @@ public class AppInfoServiceImpl implements AppInfoService {
         return Optional.empty();
     }
 
+    @Override
+    public void deleteById(Long appId) {
+        appInfoRepository.deleteById(appId);
+    }
+
+    @Override
+    public AppInfoDO save(AppInfoDO appInfo) {
+
+        String originPassword = appInfo.getPassword();
+        String encryptPassword = AESUtil.encrypt(originPassword, ENCRYPT_KEY);
+        String finalPassword = ENCRYPT_PWD_PREFIX.concat(encryptPassword);
+        appInfo.setPassword(finalPassword);
+
+        return appInfoRepository.saveAndFlush(appInfo);
+    }
+
+    @Override
+    public Long assertApp(String appName, String password, String encryptType) {
+        AppInfoDO appInfo = appInfoRepository.findByAppName(appName).orElseThrow(() -> new PowerJobException(ErrorCodes.INVALID_APP, appName));
+        return assertApp(appInfo, password, encryptType);
+    }
+
+    @Override
+    public Long assertApp(AppInfoDO appInfo, String password, String encryptType) {
+        boolean checkPass = checkPassword(appInfo, password, encryptType);
+        if (!checkPass) {
+            throw new PowerJobException(ErrorCodes.INCORRECT_PASSWORD, null);
+        }
+        return appInfo.getId();
+    }
+
+    private boolean checkPassword(AppInfoDO appInfo, String password, String encryptType) {
+        String originPwd = fetchOriginAppPassword(appInfo);
+        if (StringUtils.isEmpty(encryptType) || EncryptType.NONE.getCode().equalsIgnoreCase(encryptType)) {
+            return password.equals(originPwd);
+        }
+        if (EncryptType.MD5.getCode().equalsIgnoreCase(encryptType)) {
+            return password.equalsIgnoreCase(DigestUtils.md5(originPwd));
+        }
+        throw new PowerJobException(ErrorCodes.INVALID_REQUEST, "unknown_encryptType:" + encryptType);
+    }
+
+    @Override
+    public String fetchOriginAppPassword(AppInfoDO appInfo) {
+        String dbPwd = appInfo.getPassword();
+        if (StringUtils.isEmpty(dbPwd)) {
+            return dbPwd;
+        }
+
+        if (dbPwd.startsWith(ENCRYPT_PWD_PREFIX)) {
+            String encryptPassword = dbPwd.replaceFirst(ENCRYPT_PWD_PREFIX, StringUtils.EMPTY);
+            return AESUtil.decrypt(encryptPassword, ENCRYPT_KEY);
+        }
+
+        return dbPwd;
+    }
+
 }
diff --git a/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/openapi/OpenAPIController.java b/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/openapi/OpenAPIController.java
index 157ce224..40a9abf3 100644
--- a/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/openapi/OpenAPIController.java
+++ b/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/openapi/OpenAPIController.java
@@ -58,7 +58,7 @@ public class OpenAPIController {
 
     @PostMapping(OpenAPIConstant.ASSERT)
     public ResultDTO<Long> assertAppName(String appName, @RequestParam(required = false) String password) {
-        return ResultDTO.success(appInfoService.assertApp(appName, password));
+        return ResultDTO.success(appInfoService.assertApp(appName, password, null));
     }
 
     /**
diff --git a/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/openapi/security/OpenApiSecurityServiceImpl.java b/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/openapi/security/OpenApiSecurityServiceImpl.java
index 2533a583..d855bb6b 100644
--- a/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/openapi/security/OpenApiSecurityServiceImpl.java
+++ b/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/openapi/security/OpenApiSecurityServiceImpl.java
@@ -8,10 +8,8 @@ import org.springframework.stereotype.Service;
 import tech.powerjob.client.module.AppAuthRequest;
 import tech.powerjob.client.module.AppAuthResult;
 import tech.powerjob.common.OpenAPIConstant;
-import tech.powerjob.common.exception.PowerJobException;
-import tech.powerjob.common.utils.DigestUtils;
 import tech.powerjob.common.enums.ErrorCodes;
-import tech.powerjob.server.auth.common.PowerJobAuthException;
+import tech.powerjob.common.exception.PowerJobException;
 import tech.powerjob.server.auth.common.utils.HttpServletUtils;
 import tech.powerjob.server.auth.jwt.JwtService;
 import tech.powerjob.server.core.service.AppInfoService;
@@ -20,7 +18,6 @@ import tech.powerjob.server.persistence.remote.model.AppInfoDO;
 import javax.annotation.Resource;
 import javax.servlet.http.HttpServletRequest;
 import java.util.Map;
-import java.util.Objects;
 import java.util.Optional;
 
 /**
@@ -40,6 +37,7 @@ public class OpenApiSecurityServiceImpl implements OpenApiSecurityService {
 
     private static final String JWT_KEY_APP_ID = "appId";
     private static final String JWT_KEY_APP_PASSWORD = "password";
+    private static final String JWT_KEY_ENCRYPT_TYPE = "encryptType";
 
     @Override
     public void authAppByToken(HttpServletRequest httpServletRequest) {
@@ -59,6 +57,7 @@ public class OpenApiSecurityServiceImpl implements OpenApiSecurityService {
 
         Long appIdFromJwt = MapUtils.getLong(jwtResult, JWT_KEY_APP_ID);
         String passwordFromJwt = MapUtils.getString(jwtResult, JWT_KEY_APP_PASSWORD);
+        String encryptType = MapUtils.getString(jwtResult, JWT_KEY_ENCRYPT_TYPE);
 
         // 校验 appId 一致性
         if (!StringUtils.equals(appIdFromHeader, String.valueOf(appIdFromJwt))) {
@@ -66,15 +65,12 @@ public class OpenApiSecurityServiceImpl implements OpenApiSecurityService {
         }
 
         // 此处不考虑改密码后的缓存时间，毕竟只要改了密码，一定会报错。换言之 OpenAPI 模式下，密码不可更改
-        Optional<AppInfoDO> appInfoOpt = appInfoService.findByIdWithCache(appIdFromJwt);
+        Optional<AppInfoDO> appInfoOpt = appInfoService.findById(appIdFromJwt, true);
         if (!appInfoOpt.isPresent()) {
             throw new PowerJobException(ErrorCodes.INVALID_APP, "can_not_find_app");
         }
 
-        String dbOriginPassword = appInfoOpt.get().getPassword();
-        if (!StringUtils.equals(passwordFromJwt, DigestUtils.md5(dbOriginPassword))) {
-            throw new PowerJobException(ErrorCodes.OPEN_API_PASSWORD_ERROR, "password_compare_failed");
-        }
+        appInfoService.assertApp(appInfoOpt.get(), passwordFromJwt, encryptType);
     }
 
 
@@ -84,25 +80,16 @@ public class OpenApiSecurityServiceImpl implements OpenApiSecurityService {
         String appName = appAuthRequest.getAppName();
         String encryptedPassword = appAuthRequest.getEncryptedPassword();
 
-        Optional<AppInfoDO> appInfoOpt = appInfoService.findByAppName(appName);
-        if (!appInfoOpt.isPresent()) {
-            throw new PowerJobAuthException(ErrorCodes.INVALID_APP);
-        }
-
-        AppInfoDO appInfo = appInfoOpt.get();
-
-        // 密码验证失败
-        if (!Objects.equals(DigestUtils.md5(appInfo.getPassword()), encryptedPassword)) {
-            throw new PowerJobAuthException(ErrorCodes.OPEN_API_PASSWORD_ERROR);
-        }
+        Long appId = appInfoService.assertApp(appName, encryptedPassword, appAuthRequest.getEncryptType());
 
         Map<String, Object> jwtBody = Maps.newHashMap();
-        jwtBody.put(JWT_KEY_APP_ID, appInfo.getId());
+        jwtBody.put(JWT_KEY_APP_ID, appId);
         jwtBody.put(JWT_KEY_APP_PASSWORD, encryptedPassword);
+        jwtBody.put(JWT_KEY_ENCRYPT_TYPE, appAuthRequest.getEncryptType());
 
         AppAuthResult appAuthResult = new AppAuthResult();
 
-        appAuthResult.setAppId(appInfo.getId());
+        appAuthResult.setAppId(appId);
         appAuthResult.setToken(jwtService.build(jwtBody, null));
 
         return appAuthResult;
diff --git a/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/controller/AppInfoController.java b/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/controller/AppInfoController.java
index 27b6dd91..71c8ff84 100644
--- a/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/controller/AppInfoController.java
+++ b/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/controller/AppInfoController.java
@@ -13,7 +13,10 @@ import org.springframework.data.domain.Page;
 import org.springframework.data.domain.PageRequest;
 import org.springframework.data.domain.Pageable;
 import org.springframework.data.jpa.domain.Specification;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
 import tech.powerjob.common.response.ResultDTO;
 import tech.powerjob.common.serialize.JsonUtils;
 import tech.powerjob.common.utils.CommonUtils;
@@ -22,13 +25,12 @@ import tech.powerjob.server.auth.Permission;
 import tech.powerjob.server.auth.Role;
 import tech.powerjob.server.auth.RoleScope;
 import tech.powerjob.server.auth.common.AuthConstants;
-import tech.powerjob.common.enums.ErrorCodes;
-import tech.powerjob.server.auth.common.PowerJobAuthException;
 import tech.powerjob.server.auth.interceptor.ApiPermission;
 import tech.powerjob.server.auth.plugin.ModifyOrCreateDynamicPermission;
 import tech.powerjob.server.auth.plugin.SaveAppGrantPermissionPlugin;
 import tech.powerjob.server.auth.service.WebAuthService;
 import tech.powerjob.server.common.module.WorkerInfo;
+import tech.powerjob.server.core.service.AppInfoService;
 import tech.powerjob.server.persistence.PageResult;
 import tech.powerjob.server.persistence.QueryConvertUtils;
 import tech.powerjob.server.persistence.remote.model.AppInfoDO;
@@ -67,6 +69,7 @@ public class AppInfoController {
 
     private final UserWebService userWebService;
 
+    private final AppInfoService appInfoService;
     private final AppInfoRepository appInfoRepository;
 
     private final NamespaceWebService namespaceWebService;
@@ -86,7 +89,7 @@ public class AppInfoController {
             appInfoDO.setGmtCreate(new Date());
             appInfoDO.setCreator(LoginUserHolder.getUserId());
         } else {
-            appInfoDO = appInfoRepository.findById(id).orElseThrow(() -> new IllegalArgumentException("can't find appInfo by id:" + id));
+            appInfoDO = appInfoService.findById(id, false).orElseThrow(() -> new IllegalArgumentException("can't find appInfo by id:" + id));
 
             // 不允许修改 appName
             if (!appInfoDO.getAppName().equalsIgnoreCase(req.getAppName())) {
@@ -104,7 +107,7 @@ public class AppInfoController {
         appInfoDO.setGmtModified(new Date());
         appInfoDO.setModifier(LoginUserHolder.getUserId());
 
-        AppInfoDO savedAppInfo = appInfoRepository.saveAndFlush(appInfoDO);
+        AppInfoDO savedAppInfo = appInfoService.save(appInfoDO);
 
         // 重现授权
         webAuthService.processPermissionOnSave(RoleScope.APP, savedAppInfo.getId(), req.getComponentUserRoleInfo());
@@ -123,7 +126,7 @@ public class AppInfoController {
             return ResultDTO.failed("Unable to delete apps with live workers, Please remove the worker dependency first!");
         }
 
-        appInfoRepository.deleteById(appId);
+        appInfoService.deleteById(appId);
         log.warn("[AppInfoController] delete app[id={}] successfully!", appId);
         return ResultDTO.success(null);
     }
@@ -188,18 +191,13 @@ public class AppInfoController {
     @ApiPermission(name = "App-BecomeAdmin", roleScope = RoleScope.GLOBAL, requiredPermission = Permission.NONE)
     public ResultDTO<Void> becomeAdminByAppNameAndPassword(@RequestBody AppAssertRequest appAssertRequest) {
         String appName = appAssertRequest.getAppName();
-        Optional<AppInfoDO> appInfoOpt = appInfoRepository.findByAppName(appName);
-        if (!appInfoOpt.isPresent()) {
-            throw new IllegalArgumentException("can't find app by appName: " + appName);
-        }
-        if (!StringUtils.equals(appInfoOpt.get().getPassword(), appAssertRequest.getPassword())) {
-            throw new PowerJobAuthException(ErrorCodes.INCORRECT_PASSWORD);
-        }
+
+        Long appId = appInfoService.assertApp(appName, appAssertRequest.getPassword(), appAssertRequest.getEncryptType());
 
         Map<String, Object> extra = Maps.newHashMap();
         extra.put("source", "becomeAdminByAppNameAndPassword");
 
-        webAuthService.grantRole2LoginUser(RoleScope.APP, appInfoOpt.get().getId(), Role.ADMIN, JsonUtils.toJSONString(extra));
+        webAuthService.grantRole2LoginUser(RoleScope.APP, appId, Role.ADMIN, JsonUtils.toJSONString(extra));
 
         return ResultDTO.success(null);
     }
@@ -224,7 +222,8 @@ public class AppInfoController {
 
                 // 密码
                 boolean hasPermission = webAuthService.hasPermission(RoleScope.APP, appInfoDO.getId(), Permission.READ);
-                appInfoVO.setPassword(hasPermission ? appInfoDO.getPassword() : AuthConstants.TIPS_NO_PERMISSION_TO_SEE);
+                String originPassword = appInfoService.fetchOriginAppPassword(appInfoDO);
+                appInfoVO.setPassword(hasPermission ? originPassword : AuthConstants.TIPS_NO_PERMISSION_TO_SEE);
 
                 // namespace
                 Optional<NamespaceDO> namespaceOpt = namespaceWebService.findById(appInfoDO.getNamespaceId());
diff --git a/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/request/AppAssertRequest.java b/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/request/AppAssertRequest.java
index 826d99ad..bb41c473 100644
--- a/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/request/AppAssertRequest.java
+++ b/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/request/AppAssertRequest.java
@@ -12,4 +12,6 @@ import lombok.Data;
 public class AppAssertRequest {
     private String appName;
     private String password;
+
+    private String encryptType;
 }