优化：使用更加安全的编码保存用户密码

2025-11-08 19:53:47 +08:00 · 2025-03-01 18:44:30 +08:00
parent 57747d9082
commit 34fdf59432
11 changed files with 99 additions and 52 deletions
--- a/smart-admin-api-java17-springboot3/sa-admin/src/main/java/net/lab1024/sa/admin/module/system/employee/service/EmployeeService.java
+++ b/smart-admin-api-java17-springboot3/sa-admin/src/main/java/net/lab1024/sa/admin/module/system/employee/service/EmployeeService.java
@@ -297,38 +297,39 @@ public class EmployeeService {
        if (employeeEntity == null) {
            return ResponseDTO.error(UserErrorCode.DATA_NOT_EXIST);
        }
+
        // 校验原始密码
-        String oldPassword = SecurityPasswordService.getEncryptPwd(updatePasswordForm.getOldPassword());
-        if (!Objects.equals(oldPassword, employeeEntity.getLoginPwd())) {
+        if (!SecurityPasswordService.matchesPwd(updatePasswordForm.getOldPassword(),employeeEntity.getLoginPwd()) ) {
            return ResponseDTO.userErrorParam("原密码有误，请重新输入");
        }

+        // 新旧密码相同
+        if (Objects.equals(updatePasswordForm.getOldPassword(), updatePasswordForm.getNewPassword()) ){
+            return ResponseDTO.userErrorParam("新密码与原始密码相同，请重新输入");
+        }
+
        // 校验密码复杂度
        ResponseDTO<String> validatePassComplexity = securityPasswordService.validatePasswordComplexity(updatePasswordForm.getNewPassword());
        if (!validatePassComplexity.getOk()) {
            return validatePassComplexity;
        }

-        // 新旧密码相同
-        String newPassword = SecurityPasswordService.getEncryptPwd(updatePasswordForm.getNewPassword());
-        if (Objects.equals(oldPassword, newPassword)) {
-            return ResponseDTO.userErrorParam("新密码与原始密码相同，请重新输入");
-        }
-
        // 根据三级等保规则，校验密码是否重复
        ResponseDTO<String> passwordRepeatTimes = securityPasswordService.validatePasswordRepeatTimes(requestUser, updatePasswordForm.getNewPassword());
        if (!passwordRepeatTimes.getOk()) {
            return ResponseDTO.error(passwordRepeatTimes);
        }

+
        // 更新密码
+        String newEncryptPassword = SecurityPasswordService.getEncryptPwd(updatePasswordForm.getNewPassword());
        EmployeeEntity updateEntity = new EmployeeEntity();
        updateEntity.setEmployeeId(employeeId);
-        updateEntity.setLoginPwd(newPassword);
+        updateEntity.setLoginPwd(newEncryptPassword);
        employeeDao.updateById(updateEntity);

        // 保存修改密码密码记录
-        securityPasswordService.saveUserChangePasswordLog(requestUser, newPassword, oldPassword);
+        securityPasswordService.saveUserChangePasswordLog(requestUser, newEncryptPassword, employeeEntity.getLoginPwd());

        return ResponseDTO.ok();
    }
--- a/smart-admin-api-java17-springboot3/sa-admin/src/main/java/net/lab1024/sa/admin/module/system/login/service/LoginService.java
+++ b/smart-admin-api-java17-springboot3/sa-admin/src/main/java/net/lab1024/sa/admin/module/system/login/service/LoginService.java
@@ -206,7 +206,7 @@ public class LoginService implements StpInterface {
            }

            // 密码错误
-            if (!employeeEntity.getLoginPwd().equals(SecurityPasswordService.getEncryptPwd(requestPassword))) {
+            if ( !SecurityPasswordService.matchesPwd(requestPassword,employeeEntity.getLoginPwd()) ) {
                // 记录登录失败
                saveLoginLog(employeeEntity, ip, userAgent, "密码错误", LoginLogResultEnum.LOGIN_FAIL);
                // 记录等级保护次数