Store passwords securely by encrypting instead of plain text

[YongGoose]

As you can see in this PR, passwords are currently being stored in plain text.
(I believe this task should be taken after this PR is merged ❗️)

• feature: enforce account initialization and disable default credentials #7261

This poses a security vulnerability, so it would be better to encrypt them.

Deliverables

• After displaying the password in the console, encrypt it
• Use PasswordEncoder for any password comparison logic
• Update related test code accordingly (It should be sufficient to update the smoke test code written in 52cbf74)

Since displaying the password in the console is already implemented, you just need to pass the encrypted password when creating the User object.

---

Since a PasswordEncoder bean already exists in WebSecurityConfig, it should be straightforward to use it for the implementation.

incubator-seata/console/src/main/java/org/apache/seata/console/config/WebSecurityConfig.java

Line 127 in a84b7be

public PasswordEncoder passwordEncoder() {

Related Links

• seata-server 需要配置加密 #7307
• feature: enforce account initialization and disable default credentials #7261
• https://docs.spring.io/spring-security/reference/api/java/org/springframework/security/crypto/password/PasswordEncoder.html

[YongGoose]

@YoWuwuuuw

If you're interested in this issue, feel free to start working on it after the following PR gets merged!

• feature: enforce account initialization and disable default credentials #7261

[YoWuwuuuw]

@YoWuwuuuw

If you're interested in this issue, feel free to start working on it after the following PR gets merged!

• feature: enforce account initialization and disable default credentials #7261

My understanding is that the original console password is written in the configuration file, and now random passwords are generated for users who do not write the configuration file, and have been encrypted and stored in memory with BCryptPasswordEncoder
I want to ask what is the purpose of this issue

[YongGoose]

My understanding is that the original console password is written in the configuration file, and now random passwords are generated for users who do not write the configuration file, and have been encrypted and stored in memory with BCryptPasswordEncoder I want to ask what is the purpose of this issue

It seems that passwords are being stored in an unencrypted form.

May I ask where encryption has been applied? 🤔

[YongGoose]

@YoWuwuuuw

After our conversation, I discovered that in version 2.x, passwords were encrypted using PasswordEncoder.

So I reviewed the login process and confirmed that password comparison is also handled internally using PasswordEncoder. As a result, I updated the logic to encrypt passwords using PasswordEncoder.

Thanks to your help, I was able to catch this bug early. 🙇🏻‍♂️
I also added an integration test to cover this scenario.

I'll close this issue now. Thank you!