Re: [PR] fix(server): fix npe in non-auth mode [incubator-hugegraph]

Sun, 23 Nov 2025 23:41:01 -0800 


imbajin commented on code in PR #2912:
URL: 
https://github.com/apache/incubator-hugegraph/pull/2912#discussion_r2554944059


##########
hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeGraphAuthProxy.java:
##########
@@ -953,6 +954,14 @@ public void updateTime(Date updateTime) {
         this.hugegraph.updateTime(updateTime);
     }
 
+    public static String username() {
+        Context context = HugeGraphAuthProxy.getContext();
+        if (context == null) {
+            return "anonymous";
+        }
+        return context.user.username();

Review Comment:
   ‼️ **Critical: 返回值设计问题**
   
   新增的 `username()` 方法在非认证模式下返回 "anonymous",但需要考虑:
   
   1. **业务逻辑正确性**: 在 `ManagerAPI.createManager()` 和 `GraphSpaceAPI.create()` 
中,这个 username 被用作 `creator` 字段。如果在非认证模式下所有创建者都是 "anonymous",会导致无法追踪真实的资源创建者。
   
   2. **建议方案**: 
      - 如果非认证模式下不需要追踪创建者,应该返回 `null` 而不是 "anonymous",让调用方明确处理
      - 或者在调用方检查认证模式,非认证模式下使用其他标识(如 IP、session ID 等)
   
   ```suggestion
   public static String username() {
       Context context = HugeGraphAuthProxy.getContext();
       if (context == null || context.user == null) {
           return null;  // 让调用方明确处理非认证场景
       }
       return context.user.username();
   }
   ```
   
   请确认非认证模式下的业务预期行为。



##########
hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeGraphAuthProxy.java:
##########
@@ -953,6 +954,14 @@ public void updateTime(Date updateTime) {
         this.hugegraph.updateTime(updateTime);
     }
 
+    public static String username() {
+        Context context = HugeGraphAuthProxy.getContext();

Review Comment:
   ⚠️ **Important: 空指针安全性不完整**
   
   虽然修复了 `context` 为 null 的情况,但没有处理 `context.user` 为 null 的场景。建议增加防御性检查:
   
   ```suggestion
   public static String username() {
       Context context = HugeGraphAuthProxy.getContext();
       if (context == null || context.user == null) {
           return "anonymous";
       }
       return context.user.username();
   }
   ```
   
   或者检查一下 `Context` 的构造函数是否保证 `user` 字段非空。



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to