YongGoose commented on PR #7261:
URL: https://github.com/apache/incubator-seata/pull/7261#issuecomment-2868111979
> @funky-eyes @slievrly
>
> I don't think this should be merged right now. It could cause issues with
login.
>
> I'll make the necessary changes and provide a more detailed explanation
afterward.
During the login process, the password is compared using `PasswordEncoder`
internally by the `AuthenticationManager`.
However, in the previous implementation, passwords were stored in plain
text, which could have caused login failures.
This has now been corrected by updating the code to encrypt passwords using
`PasswordEncoder`.
I ran the integration tests shown below, and since everything works as
expected, I believe it's safe to proceed with the merge now.
`Random password test`
```java
@Test
public void loginSuccess_shouldReturnTokenAndAddToHeader(CapturedOutput
output) throws Exception {
String logs = output.getOut();
Pattern pattern = Pattern.compile("Use the auto-generated password:
\\[(.+?)\\]");
Matcher matcher = pattern.matcher(logs);
assertTrue(matcher.find(), "captured password not found in logs");
String extractedPassword = matcher.group(1);
User user = new User("seata", extractedPassword);
String userJson = objectMapper.writeValueAsString(user);
MvcResult result = mockMvc.perform(post("/api/v1/auth/login")
.contentType(MediaType.APPLICATION_JSON)
.content(userJson))
.andExpect(status().isOk())
.andExpect(jsonPath("$.success").value(true))
.andExpect(jsonPath("$.data").isNotEmpty())
.andExpect(header().exists(WebSecurityConfig.AUTHORIZATION_HEADER))
.andReturn();
String authHeader =
result.getResponse().getHeader(WebSecurityConfig.AUTHORIZATION_HEADER);
assertNotNull(authHeader);
assert (authHeader.startsWith(WebSecurityConfig.TOKEN_PREFIX));
}
```
`Property test`
```java
@Test
public void loginSuccess_shouldReturnTokenAndAddToHeader() throws Exception {
User user = new User("seata", "foo");
String userJson = objectMapper.writeValueAsString(user);
MvcResult result = mockMvc.perform(post("/api/v1/auth/login")
.contentType(MediaType.APPLICATION_JSON)
.content(userJson))
.andExpect(status().isOk())
.andExpect(jsonPath("$.success").value(true))
.andExpect(jsonPath("$.data").isNotEmpty())
.andExpect(header().exists(WebSecurityConfig.AUTHORIZATION_HEADER))
.andReturn();
String authHeader =
result.getResponse().getHeader(WebSecurityConfig.AUTHORIZATION_HEADER);
assertNotNull(authHeader);
assert (authHeader.startsWith(WebSecurityConfig.TOKEN_PREFIX));
}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@seata.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@seata.apache.org
For additional commands, e-mail: notifications-h...@seata.apache.org
