YongGoose opened a new issue, #7331: URL: https://github.com/apache/incubator-seata/issues/7331
As you can see in this PR, passwords are currently being stored in plain text. (**I believe this task should be taken after this PR is merged ❗️**) - https://github.com/apache/incubator-seata/pull/7261 This poses a security vulnerability, so it would be better to encrypt them. ### Deliverables - [ ] After displaying the `password` in the console, encrypt it - [ ] Use `PasswordEncoder` for any password comparison logic - [ ] Update related test code accordingly (It should be sufficient to update the smoke test code written in https://github.com/apache/incubator-seata/pull/7261/commits/52cbf749e8005f85dbf9d012cb0644ac54fb07ae) > Since displaying the password in the console is already implemented, you just need to pass the encrypted password when creating the `User` object. --- Since a `PasswordEncoder` bean already exists in `WebSecurityConfig`, it should be straightforward to use it for the implementation. https://github.com/apache/incubator-seata/blob/a84b7bedf60a160a900e5a64d94c3c031943c4db/console/src/main/java/org/apache/seata/console/config/WebSecurityConfig.java#L127 ### Related Links - https://github.com/apache/incubator-seata/issues/7307 - https://github.com/apache/incubator-seata/pull/7261 - https://docs.spring.io/spring-security/reference/api/java/org/springframework/security/crypto/password/PasswordEncoder.html -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@seata.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@seata.apache.org For additional commands, e-mail: notifications-h...@seata.apache.org
