Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -124,7 +124,7 @@ public Result forgotPassword(User user) throws Exception {
return Result.success(ExceptionEnum.CM334.getResultCode(), ExceptionEnum.CM334.getResultMsg());
}

private boolean validatorPublicKey(String salt, PublicKey publicKey, PrivateKey privateKey) throws Exception {
boolean validatorPublicKey(String salt, PublicKey publicKey, PrivateKey privateKey) throws Exception {
String plainSalt = decrypt(salt, privateKey);
String cipherSalt = encrypt(plainSalt, publicKey);
String decryptSalt = decrypt(cipherSalt, privateKey);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,9 @@ public static SecretKey getSecretKey() {
*/
public String generateToken(String username, String roles, String userId,
Object tenants, Integer platformId) {

if(username==null ){
throw new IllegalArgumentException("Username must not be null");
}
Map<String, Object> claims = new HashMap<>();
claims.put("username", username);
claims.put("roles", roles);
Expand Down Expand Up @@ -253,6 +255,10 @@ private <T> T getClaimFromToken(String token, String claimName, Class<T> clazz)
* 验证 Token 是否有效(包含黑名单检查和过期检查)
*/
public boolean validateToken(String token) {
if (token == null) {
throw new IllegalArgumentException("Token must not be null or empty");
}
Comment on lines +258 to +260

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Message claims "null or empty" but only null is rejected.

An empty/blank token falls through to parsing and returns false (covered by validateTokenReturnsFalseForEmptyToken). Either align the message with the actual check or also reject blank tokens.

🩹 Align message with the check
-        if (token == null) {
-            throw new IllegalArgumentException("Token must not be null or empty");
-        }
+        if (token == null) {
+            throw new IllegalArgumentException("Token must not be null");
+        }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if (token == null) {
throw new IllegalArgumentException("Token must not be null or empty");
}
if (token == null) {
throw new IllegalArgumentException("Token must not be null");
}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@base/src/main/java/com/tinyengine/it/login/utils/JwtUtil.java` around lines
258 - 260, The token validation in JwtUtil is only rejecting null values, but
the IllegalArgumentException message says "null or empty," so make the behavior
and message consistent. Either update the check in the token validation path to
also reject blank/empty input before parsing, or change the exception text to
mention only null; use the JwtUtil token validation logic and its parse/validate
flow as the place to adjust so the behavior matches
validateTokenReturnsFalseForEmptyToken.


try {
// 检查是否在黑名单中
if (tokenBlacklistService.isTokenBlacklisted(token)) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,9 @@ public class SM3PasswordUtil {
* SM3 哈希计算
*/
public static String sm3Hash(String data, String salt) throws Exception {
if(data == null || salt == null) {
throw new IllegalArgumentException("数据和盐值不能为空");
}
MessageDigest md = MessageDigest.getInstance(SM3_ALGORITHM, "BC");
String dataWithSalt = data + salt;
byte[] hash = md.digest(dataWithSalt.getBytes("UTF-8"));
Expand All @@ -54,6 +57,9 @@ public static PasswordResult createPassword(String plainPassword) throws Excepti
* 验证用户密码
*/
public static boolean verifyPassword(String inputPassword, String storedHash, String salt) throws Exception {
if(inputPassword == null || storedHash == null || salt == null) {
throw new IllegalArgumentException("输入密码、存储哈希和盐值不能为空");
}
Comment on lines +60 to +62

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Don't surface bad-login inputs as uncaught exceptions.

Line 60 changes verifyPassword from a normal auth mismatch path into an exception path for null inputs. LoginController.login passes the request password and decrypted salt straight into this method, so an omitted password or null decrypted salt now escapes the login flow instead of returning the usual auth failure result. Please keep null-auth cases mapped at the boundary, or return false here for auth-style inputs.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@base/src/main/java/com/tinyengine/it/login/utils/SM3PasswordUtil.java` around
lines 60 - 62, The null-check in SM3PasswordUtil.verifyPassword currently throws
IllegalArgumentException for missing password, hash, or salt, which turns a
bad-login case into an uncaught exception. Update verifyPassword to treat null
auth inputs as a normal authentication failure by returning false, or move the
null handling to LoginController.login so omitted passwords or decrypted null
salts are mapped to the existing login-fail path instead of propagating an
exception.

String computedHash = sm3Hash(inputPassword, salt);
return computedHash.equals(storedHash);
}
Expand Down
Loading