funky-eyes commented on code in PR #7261:
URL: https://github.com/apache/incubator-seata/pull/7261#discussion_r2065220619


##########
console/src/main/java/org/apache/seata/console/security/CustomUserDetailsServiceImpl.java:
##########
@@ -32,23 +34,47 @@
 @Service
 public class CustomUserDetailsServiceImpl implements UserDetailsService {
 
-    @Value("${console.user.username}")
-    private String username;
-
-    @Value("${console.user.password}")
-    private String password;
-
+    private Console console;
     private User user;
 
     /**
      * Init.
      */
     @PostConstruct
-    public void init() {
-        // TODO: get userInfo by db
-        user = new User();
-        user.setUsername(username);
-        user.setPassword(new BCryptPasswordEncoder().encode(password));
+    public void init() throws IOException {
+        String envUsername = System.getenv("SEATA_CONSOLE_USERNAME");

Review Comment:
   Requiring users to read credentials (username and password) directly from 
environment variables would impose significant changes to their workflow and 
create a poor user experience. Instead, we can default to a predefined username 
(e.g., seata) and remove any default password. If no password is configured, 
the system will automatically generate a random password, log it for user 
reference, and notify them:
   
   "No password was configured. A random password has been generated for 
security purposes. You may either:
   1. Use the auto-generated password (see logs for details), or
   2. Set a custom password in the configuration."
   
   This approach ensures backward compatibility while guiding users toward 
secure practices.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@seata.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@seata.apache.org
For additional commands, e-mail: notifications-h...@seata.apache.org

Reply via email to