Re: [PR] feature: enforce account initialization and disable default credentials [incubator-seata]

Mon, 28 Apr 2025 19:43:48 -0700 


YongGoose commented on code in PR #7261:
URL: https://github.com/apache/incubator-seata/pull/7261#discussion_r2065303418


##########
console/src/main/java/org/apache/seata/console/security/CustomUserDetailsServiceImpl.java:
##########
@@ -32,23 +34,47 @@
 @Service
 public class CustomUserDetailsServiceImpl implements UserDetailsService {
 
-    @Value("${console.user.username}")
-    private String username;
-
-    @Value("${console.user.password}")
-    private String password;
-
+    private Console console;
     private User user;
 
     /**
      * Init.
      */
     @PostConstruct
-    public void init() {
-        // TODO: get userInfo by db
-        user = new User();
-        user.setUsername(username);
-        user.setPassword(new BCryptPasswordEncoder().encode(password));
+    public void init() throws IOException {
+        String envUsername = System.getenv("SEATA_CONSOLE_USERNAME");

Review Comment:
   > Requiring users to read credentials (username and password) directly from 
environment variables would impose significant changes to their workflow and 
create a poor user experience. Instead, we can default to a predefined username 
(e.g., seata) and remove any default password. If no password is configured, 
the system will automatically generate a random password, log it for user 
reference, and notify them:
   > 
   > "No password was configured. A random password has been generated for 
security purposes. You may either:
   > 
   > 1. Use the auto-generated password (see logs for details), or
   > 2. Set a custom password in the configuration."
   > 
   > This approach ensures backward compatibility while guiding users toward 
secure practices.
   
   Thank you for your comment!
   
   As you pointed out, suddenly requiring users to provide credentials would 
lead to a poor user experience.
   Following your suggestion, I will implement it so that if no password is set 
in the `YAML` configuration file, the system will generate a random password, 
log it, and provide guidance to the user.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@seata.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@seata.apache.org
For additional commands, e-mail: notifications-h...@seata.apache.org

Reply via email to