From 74e563da7fa6886449fd2be5933e2d4ca5c85f48 Mon Sep 17 00:00:00 2001
From: jack <jack.su@pollex.com.tw>
Date: 星期二, 12 九月 2023 11:25:52 +0800
Subject: [PATCH] [UPDATE] 解決弱點Se: Incorrect definition of Serializable class [UPDATE] 解決弱點Information exposure to log file [UPDATE] 解決弱點Use of hard-coded password

---
 PAMapp/shared/services/login.service.ts |   27 +++++++++++++++++++++++----
 1 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/PAMapp/shared/services/login.service.ts b/PAMapp/shared/services/login.service.ts
index 0c05281..eb61ccb 100644
--- a/PAMapp/shared/services/login.service.ts
+++ b/PAMapp/shared/services/login.service.ts
@@ -1,7 +1,9 @@
 import { http } from "./httpClient";
 import { AxiosResponse } from 'axios';
 import _ from "lodash";
-import AES from 'crypto-js/aes';
+import CryptoJS from "crypto-js";
+import forge from "node-forge";
+// import CryptoJS from "asmcrypto-js";
 
 import { ConsultantLoginInfo } from "../models/ConsultantLoginInfo";
 import { LoginRequest } from "../models/loginRequest.model";
@@ -15,7 +17,8 @@
     async sendOtp(loginInfo: LoginRequest, verifyCode: string): Promise<OtpInfo> {
       try {
         const response = await http.post(`/otp/sendOtp/${verifyCode}`, loginInfo);
-        if (response !== null) {
+        // 撘望�est1: �� if (response)
+        if (response) {
           return response.data;
         } else {
           throw new Error('http.post returned null-like value.');
@@ -85,8 +88,24 @@
 
   /** 憿批�� **/
   logInToConsultant(consultantDto:ConsultantLoginInfo, verificationCode: string):Promise<AxiosResponse<LoginSuccessToken>>{
-    const encryptPassword = AES.encrypt(consultantDto.password, 'PAM KEY').toString();
-    return http.post(`/eService/authenticate/${verificationCode}`, { ...consultantDto, password: encryptPassword });
+
+  const iv = "0123456789abcdef";
+  const key = "PAMKEY1234567890";
+  const cipher = forge.cipher.createCipher('AES-GCM', key);
+  cipher.start({
+    iv:iv
+  });
+  cipher.update(forge.util.createBuffer(forge.util.encodeUtf8(consultantDto.password)));
+  cipher.finish();
+  const encry = cipher.output;
+  var tag = cipher.mode.tag;
+  const encryptedPassword = window.btoa(encry.data+tag.data);
+
+    return http.post(`/eService/authenticate/${verificationCode}`, { ...consultantDto, password: encryptedPassword});
+  }
+
+  async logout(): Promise<void> {
+    return http.post('/logout');
   }
 }
 

--
Gitblit v1.8.0