diff --git a/RuoYi-Vue/ruoyi-admin/src/main/java/com/ruoyi/web/controller/front/FrontAuthController.java b/RuoYi-Vue/ruoyi-admin/src/main/java/com/ruoyi/web/controller/front/FrontAuthController.java index 0851074..26a7caa 100644 --- a/RuoYi-Vue/ruoyi-admin/src/main/java/com/ruoyi/web/controller/front/FrontAuthController.java +++ b/RuoYi-Vue/ruoyi-admin/src/main/java/com/ruoyi/web/controller/front/FrontAuthController.java @@ -40,7 +40,9 @@ public class FrontAuthController extends BaseController public AjaxResult login(@RequestBody FrontLoginBody body) { AjaxResult ajax = AjaxResult.success(); - String token = frontAuthService.login(body.getUsername(), body.getPassword()); + String username = body == null ? null : body.getUsername(); + String password = body == null ? null : body.getPassword(); + String token = frontAuthService.login(username, password); ajax.put(Constants.TOKEN, token); return ajax; } @@ -48,7 +50,7 @@ public class FrontAuthController extends BaseController @GetMapping("/profile") public AjaxResult profile() { - return AjaxResult.success(frontUserService.selectById(SecurityUtils.getUserId())); + return AjaxResult.success(frontAuthService.profile(SecurityUtils.getUserId())); } @PostMapping("/logout") diff --git a/RuoYi-Vue/ruoyi-admin/src/main/java/com/ruoyi/web/service/front/FrontAuthService.java b/RuoYi-Vue/ruoyi-admin/src/main/java/com/ruoyi/web/service/front/FrontAuthService.java index 846aecd..d2f2a15 100644 --- a/RuoYi-Vue/ruoyi-admin/src/main/java/com/ruoyi/web/service/front/FrontAuthService.java +++ b/RuoYi-Vue/ruoyi-admin/src/main/java/com/ruoyi/web/service/front/FrontAuthService.java @@ -25,10 +25,16 @@ public class FrontAuthService public String login(String username, String password) { - FrontUser frontUser = frontUserService.selectByUsername(username); - if (frontUser == null) + if (StringUtils.isEmpty(username) || StringUtils.isEmpty(password)) { - throw new ServiceException("前台账号或密码错误"); + throw credentialException(); + } + + FrontUser frontUser = frontUserService.selectByUsername(username); + if (frontUser == null || StringUtils.isEmpty(frontUser.getPassword()) + || !matchesPassword(password, frontUser.getPassword())) + { + throw credentialException(); } if (UserStatus.DISABLE.getCode().equals(frontUser.getStatus())) { @@ -38,10 +44,6 @@ public class FrontAuthService { throw new ServiceException("前台账号已删除"); } - if (!SecurityUtils.matchesPassword(password, frontUser.getPassword())) - { - throw new ServiceException("前台账号或密码错误"); - } SysUser tokenUser = new SysUser(); tokenUser.setUserId(frontUser.getUserId()); @@ -55,4 +57,31 @@ public class FrontAuthService frontUserService.updateLastLoginTime(frontUser.getUserId()); return token; } + + public FrontUser profile(Long userId) + { + FrontUser frontUser = frontUserService.selectById(userId); + if (frontUser != null) + { + frontUser.setPassword(null); + } + return frontUser; + } + + private boolean matchesPassword(String password, String encodedPassword) + { + try + { + return SecurityUtils.matchesPassword(password, encodedPassword); + } + catch (IllegalArgumentException e) + { + return false; + } + } + + private ServiceException credentialException() + { + return new ServiceException("用户名或密码错误"); + } } diff --git a/RuoYi-Vue/ruoyi-admin/src/test/java/com/ruoyi/web/service/front/FrontAuthServiceTest.java b/RuoYi-Vue/ruoyi-admin/src/test/java/com/ruoyi/web/service/front/FrontAuthServiceTest.java index 1aeaf83..bc1aa57 100644 --- a/RuoYi-Vue/ruoyi-admin/src/test/java/com/ruoyi/web/service/front/FrontAuthServiceTest.java +++ b/RuoYi-Vue/ruoyi-admin/src/test/java/com/ruoyi/web/service/front/FrontAuthServiceTest.java @@ -2,6 +2,7 @@ package com.ruoyi.web.service.front; import com.ruoyi.common.constant.Constants; import com.ruoyi.common.core.domain.model.LoginUser; +import com.ruoyi.common.exception.ServiceException; import com.ruoyi.common.utils.SecurityUtils; import com.ruoyi.framework.web.service.TokenService; import com.ruoyi.generator.domain.front.FrontUser; @@ -15,7 +16,11 @@ import org.mockito.junit.MockitoJUnitRunner; import java.lang.reflect.Field; import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.fail; +import static org.mockito.ArgumentMatchers.anyLong; import static org.mockito.ArgumentMatchers.any; +import static org.mockito.Mockito.never; import static org.mockito.Mockito.verify; import static org.mockito.Mockito.when; @@ -63,6 +68,66 @@ public class FrontAuthServiceTest verify(frontUserService).updateLastLoginTime(100L); } + @Test + public void loginRejectsNullPasswordWithCredentialFailure() + { + try + { + frontAuthService.login("demo", null); + fail("Expected ServiceException"); + } + catch (ServiceException e) + { + assertEquals("用户名或密码错误", e.getMessage()); + } + + verify(tokenService, never()).createToken(any(LoginUser.class)); + verify(frontUserService, never()).updateLastLoginTime(anyLong()); + } + + @Test + public void loginRejectsBadPasswordBeforeAccountStatus() + { + FrontUser user = new FrontUser(); + user.setUserId(100L); + user.setUsername("demo"); + user.setNickname("Demo"); + user.setPassword(SecurityUtils.encryptPassword("admin123")); + user.setStatus("1"); + user.setDelFlag("0"); + + when(frontUserService.selectByUsername("demo")).thenReturn(user); + + try + { + frontAuthService.login("demo", "wrong"); + fail("Expected ServiceException"); + } + catch (ServiceException e) + { + assertEquals("用户名或密码错误", e.getMessage()); + } + + verify(tokenService, never()).createToken(any(LoginUser.class)); + verify(frontUserService, never()).updateLastLoginTime(anyLong()); + } + + @Test + public void profileClearsPasswordBeforeReturning() + { + FrontUser user = new FrontUser(); + user.setUserId(100L); + user.setUsername("demo"); + user.setPassword("encoded-password"); + + when(frontUserService.selectById(100L)).thenReturn(user); + + FrontUser profile = frontAuthService.profile(100L); + + assertEquals("demo", profile.getUsername()); + assertNull(profile.getPassword()); + } + private void setField(String name, Object value) throws Exception { Field field = FrontAuthService.class.getDeclaredField(name);