Copilot commented on code in PR #4273:
URL: https://github.com/apache/streampark/pull/4273#discussion_r2247273422
##########
streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/authentication/JWTUtil.java:
##########
@@ -167,4 +180,69 @@ public static Long getTTLOfSecond() {
}
return ttlOfSecond;
}
+
+ private static DecodedJWT decode(String token) {
+ try {
+ Algorithm algorithm = Algorithm.HMAC256(JWT_KEY);
+ JWTVerifier verifier = JWT.require(algorithm).build();
+ return verifier.verify(token);
+ } catch (Exception e) {
+ return null;
+ }
+ }
+
+ public static boolean verify(String token) {
+ try {
+ // Base64解码签名密钥
Review Comment:
The comment 'Base64解码签名密钥' is in Chinese. Comments should be in English for
consistency with the rest of the codebase.
```suggestion
// Decode the signing key using Base64
```
##########
streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/authentication/JWTUtil.java:
##########
@@ -167,4 +180,69 @@ public static Long getTTLOfSecond() {
}
return ttlOfSecond;
}
+
+ private static DecodedJWT decode(String token) {
+ try {
+ Algorithm algorithm = Algorithm.HMAC256(JWT_KEY);
+ JWTVerifier verifier = JWT.require(algorithm).build();
+ return verifier.verify(token);
+ } catch (Exception e) {
+ return null;
+ }
+ }
+
+ public static boolean verify(String token) {
+ try {
+ // Base64解码签名密钥
+ Algorithm algorithm = Algorithm.HMAC256(JWT_KEY);
+ JWTVerifier verifier = JWT.require(algorithm).build();
+ verifier.verify(decrypt(token));
+ return true;
+ } catch (Exception e) {
+ log.warn("Invalid JWT: {}", e.getMessage());
+ return false;
+ }
+ }
+
+ // 修复加密方法
Review Comment:
The comment '修复加密方法' is in Chinese. Comments should be in English for
consistency with the rest of the codebase.
```suggestion
// Fix encryption method
```
##########
streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/authentication/JWTUtil.java:
##########
@@ -167,4 +180,69 @@ public static Long getTTLOfSecond() {
}
return ttlOfSecond;
}
+
+ private static DecodedJWT decode(String token) {
+ try {
+ Algorithm algorithm = Algorithm.HMAC256(JWT_KEY);
+ JWTVerifier verifier = JWT.require(algorithm).build();
+ return verifier.verify(token);
+ } catch (Exception e) {
+ return null;
+ }
+ }
+
+ public static boolean verify(String token) {
+ try {
+ // Base64解码签名密钥
+ Algorithm algorithm = Algorithm.HMAC256(JWT_KEY);
+ JWTVerifier verifier = JWT.require(algorithm).build();
+ verifier.verify(decrypt(token));
+ return true;
+ } catch (Exception e) {
+ log.warn("Invalid JWT: {}", e.getMessage());
+ return false;
+ }
+ }
+
+ // 修复加密方法
+ public static String encrypt(String content) throws Exception {
+ // 生成随机IV
+ byte[] iv = new byte[GCM_IV_LENGTH];
+ SecureRandom.getInstanceStrong().nextBytes(iv);
+
+ SecretKeySpec keySpec = new SecretKeySpec(JWT_KEY, "AES");
+
+ // 初始化加密器
+ Cipher cipher = Cipher.getInstance(ALGORITHM);
+ cipher.init(Cipher.ENCRYPT_MODE, keySpec, new
GCMParameterSpec(GCM_TAG_LENGTH, iv));
+
+ // 加密数据
Review Comment:
The comment '加密数据' is in Chinese. Comments should be in English for
consistency with the rest of the codebase.
```suggestion
// Encrypt data
```
##########
streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/authentication/JWTUtil.java:
##########
@@ -167,4 +180,69 @@ public static Long getTTLOfSecond() {
}
return ttlOfSecond;
}
+
+ private static DecodedJWT decode(String token) {
+ try {
+ Algorithm algorithm = Algorithm.HMAC256(JWT_KEY);
+ JWTVerifier verifier = JWT.require(algorithm).build();
+ return verifier.verify(token);
+ } catch (Exception e) {
+ return null;
+ }
+ }
+
+ public static boolean verify(String token) {
+ try {
+ // Base64解码签名密钥
+ Algorithm algorithm = Algorithm.HMAC256(JWT_KEY);
+ JWTVerifier verifier = JWT.require(algorithm).build();
+ verifier.verify(decrypt(token));
+ return true;
+ } catch (Exception e) {
+ log.warn("Invalid JWT: {}", e.getMessage());
+ return false;
+ }
+ }
+
+ // 修复加密方法
+ public static String encrypt(String content) throws Exception {
+ // 生成随机IV
+ byte[] iv = new byte[GCM_IV_LENGTH];
+ SecureRandom.getInstanceStrong().nextBytes(iv);
+
+ SecretKeySpec keySpec = new SecretKeySpec(JWT_KEY, "AES");
+
+ // 初始化加密器
+ Cipher cipher = Cipher.getInstance(ALGORITHM);
+ cipher.init(Cipher.ENCRYPT_MODE, keySpec, new
GCMParameterSpec(GCM_TAG_LENGTH, iv));
+
+ // 加密数据
+ byte[] encrypted =
cipher.doFinal(content.getBytes(StandardCharsets.UTF_8));
+
+ // 组合IV + 密文
Review Comment:
The comment '组合IV + 密文' is in Chinese. Comments should be in English for
consistency with the rest of the codebase.
```suggestion
// Combine IV and ciphertext
```
##########
streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/authentication/JWTUtil.java:
##########
@@ -167,4 +180,69 @@ public static Long getTTLOfSecond() {
}
return ttlOfSecond;
}
+
+ private static DecodedJWT decode(String token) {
+ try {
+ Algorithm algorithm = Algorithm.HMAC256(JWT_KEY);
+ JWTVerifier verifier = JWT.require(algorithm).build();
+ return verifier.verify(token);
+ } catch (Exception e) {
+ return null;
+ }
+ }
+
+ public static boolean verify(String token) {
+ try {
+ // Base64解码签名密钥
+ Algorithm algorithm = Algorithm.HMAC256(JWT_KEY);
+ JWTVerifier verifier = JWT.require(algorithm).build();
+ verifier.verify(decrypt(token));
+ return true;
+ } catch (Exception e) {
+ log.warn("Invalid JWT: {}", e.getMessage());
+ return false;
+ }
+ }
+
+ // 修复加密方法
+ public static String encrypt(String content) throws Exception {
+ // 生成随机IV
Review Comment:
The comment '生成随机IV' is in Chinese. Comments should be in English for
consistency with the rest of the codebase.
```suggestion
// Generate a random IV
```
##########
streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/authentication/JWTUtil.java:
##########
@@ -36,72 +47,74 @@ public class JWTUtil {
private static Long ttlOfSecond;
+ private static final String ALGORITHM = "AES/GCM/NoPadding";
+ private static final int GCM_TAG_LENGTH = 128;
+ private static final int GCM_IV_LENGTH = 12;
+
private static final String JWT_USERID = "userId";
private static final String JWT_USERNAME = "userName";
private static final String JWT_TYPE = "type";
private static final String JWT_TIMESTAMP = "timestamp";
- /**
- * verify token
- *
- * @param token token
- * @return is valid token
- */
- public static boolean verify(String token, String username, String secret)
{
+ private static byte[] JWT_KEY = loadSigningKey(); // 用于 HMAC256
Review Comment:
The comment '用于 HMAC256' is in Chinese. Comments should be in English for
consistency with the rest of the codebase.
```suggestion
private static byte[] JWT_KEY = loadSigningKey(); // Used for HMAC256
```
##########
streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/authentication/JWTUtil.java:
##########
@@ -167,4 +180,69 @@ public static Long getTTLOfSecond() {
}
return ttlOfSecond;
}
+
+ private static DecodedJWT decode(String token) {
+ try {
+ Algorithm algorithm = Algorithm.HMAC256(JWT_KEY);
+ JWTVerifier verifier = JWT.require(algorithm).build();
+ return verifier.verify(token);
+ } catch (Exception e) {
+ return null;
+ }
+ }
+
+ public static boolean verify(String token) {
+ try {
+ // Base64解码签名密钥
+ Algorithm algorithm = Algorithm.HMAC256(JWT_KEY);
+ JWTVerifier verifier = JWT.require(algorithm).build();
+ verifier.verify(decrypt(token));
+ return true;
+ } catch (Exception e) {
+ log.warn("Invalid JWT: {}", e.getMessage());
+ return false;
+ }
+ }
+
+ // 修复加密方法
+ public static String encrypt(String content) throws Exception {
+ // 生成随机IV
+ byte[] iv = new byte[GCM_IV_LENGTH];
+ SecureRandom.getInstanceStrong().nextBytes(iv);
+
+ SecretKeySpec keySpec = new SecretKeySpec(JWT_KEY, "AES");
+
+ // 初始化加密器
Review Comment:
The comment '初始化加密器' is in Chinese. Comments should be in English for
consistency with the rest of the codebase.
```suggestion
// Initialize the cipher
```
##########
streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/authentication/JWTUtil.java:
##########
@@ -167,4 +180,69 @@ public static Long getTTLOfSecond() {
}
return ttlOfSecond;
}
+
+ private static DecodedJWT decode(String token) {
+ try {
+ Algorithm algorithm = Algorithm.HMAC256(JWT_KEY);
+ JWTVerifier verifier = JWT.require(algorithm).build();
+ return verifier.verify(token);
Review Comment:
The decode method does not decrypt the token before verifying it. Since
tokens are encrypted with AES-GCM, they should be decrypted first before JWT
verification. This could cause authentication failures.
```suggestion
String decryptedToken = decrypt(token);
Algorithm algorithm = Algorithm.HMAC256(JWT_KEY);
JWTVerifier verifier = JWT.require(algorithm).build();
return verifier.verify(decryptedToken);
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
