From 74e563da7fa6886449fd2be5933e2d4ca5c85f48 Mon Sep 17 00:00:00 2001
From: jack <jack.su@pollex.com.tw>
Date: 星期二, 12 九月 2023 11:25:52 +0800
Subject: [PATCH] [UPDATE] 解決弱點Se: Incorrect definition of Serializable class [UPDATE] 解決弱點Information exposure to log file [UPDATE] 解決弱點Use of hard-coded password

---
 PAMapp/shared/services/login.service.ts |   32 +++++++++++++++++++++-----------
 1 files changed, 21 insertions(+), 11 deletions(-)

diff --git a/PAMapp/shared/services/login.service.ts b/PAMapp/shared/services/login.service.ts
index 7ee4a0b..eb61ccb 100644
--- a/PAMapp/shared/services/login.service.ts
+++ b/PAMapp/shared/services/login.service.ts
@@ -1,7 +1,9 @@
 import { http } from "./httpClient";
 import { AxiosResponse } from 'axios';
 import _ from "lodash";
-import AES from 'crypto-js/aes';
+import CryptoJS from "crypto-js";
+import forge from "node-forge";
+// import CryptoJS from "asmcrypto-js";
 
 import { ConsultantLoginInfo } from "../models/ConsultantLoginInfo";
 import { LoginRequest } from "../models/loginRequest.model";
@@ -9,14 +11,14 @@
 import { LoginVerify } from "../models/loginVerify.model";
 import { OtpInfo } from "../models/otpInfo.model";
 import { RegisterInfo } from "../models/registerInfo";
-import CryptoJS from "crypto-js";
 
 class LoginService {
     /** 憿批恥��-��TP **/
     async sendOtp(loginInfo: LoginRequest, verifyCode: string): Promise<OtpInfo> {
       try {
         const response = await http.post(`/otp/sendOtp/${verifyCode}`, loginInfo);
-        if (response !== null) {
+        // 撘望�est1: �� if (response)
+        if (response) {
           return response.data;
         } else {
           throw new Error('http.post returned null-like value.');
@@ -86,17 +88,25 @@
 
   /** 憿批�� **/
   logInToConsultant(consultantDto:ConsultantLoginInfo, verificationCode: string):Promise<AxiosResponse<LoginSuccessToken>>{
-    const plaintext = consultantDto.password;
-    const key = "PAM KEY";
-    const iv = "0123456789abcdef";
-    const keyBytes = CryptoJS.enc.Utf8.parse(key);
-    const ivBytes = CryptoJS.enc.Utf8.parse(iv);
-    const encrypted =  CryptoJS.AES.encrypt(plaintext, keyBytes, { iv: ivBytes, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.Pkcs7 });
 
-    return http.post(`/eService/authenticate/${verificationCode}`, { ...consultantDto, password: encrypted.toString() });
+  const iv = "0123456789abcdef";
+  const key = "PAMKEY1234567890";
+  const cipher = forge.cipher.createCipher('AES-GCM', key);
+  cipher.start({
+    iv:iv
+  });
+  cipher.update(forge.util.createBuffer(forge.util.encodeUtf8(consultantDto.password)));
+  cipher.finish();
+  const encry = cipher.output;
+  var tag = cipher.mode.tag;
+  const encryptedPassword = window.btoa(encry.data+tag.data);
+
+    return http.post(`/eService/authenticate/${verificationCode}`, { ...consultantDto, password: encryptedPassword});
   }
 
-
+  async logout(): Promise<void> {
+    return http.post('/logout');
+  }
 }
 
 export default new LoginService();

--
Gitblit v1.8.0