From f70b70eec5e1aa1428d3888233e259e8c52ce8b6 Mon Sep 17 00:00:00 2001
From: jack <jack.su@pollex.com.tw>
Date: 星期五, 08 九月 2023 17:18:51 +0800
Subject: [PATCH] [UPDATE] 解決弱掃Information exposure to log file, 將印在log的私密資料移除
---
pamapi/src/main/java/com/pollex/pam/service/OtpUtilService.java | 57 ++++++++++++++++++++++++++++++---------------------------
1 files changed, 30 insertions(+), 27 deletions(-)
diff --git a/pamapi/src/main/java/com/pollex/pam/service/OtpUtilService.java b/pamapi/src/main/java/com/pollex/pam/service/OtpUtilService.java
index be48bd2..c8dc2af 100644
--- a/pamapi/src/main/java/com/pollex/pam/service/OtpUtilService.java
+++ b/pamapi/src/main/java/com/pollex/pam/service/OtpUtilService.java
@@ -1,16 +1,17 @@
package com.pollex.pam.service;
-import com.pollex.pam.domain.OtpTmp;
-import com.pollex.pam.enums.OtpTmpStatusEnum;
-import com.pollex.pam.web.rest.vm.VerifyOtpVM;
+import com.pollex.pam.business.domain.OtpTmp;
+import com.pollex.pam.business.enums.OtpTmpStatusEnum;
+import com.pollex.pam.business.service.OtpTmpService;
+import com.pollex.pam.business.web.errors.OtpLoginFailException;
+import com.pollex.pam.business.web.vm.VerifyOtpVM;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.stereotype.Service;
import com.pollex.pam.config.ApplicationProperties;
-import com.pollex.pam.service.dto.OtpResponseDTO;
+import com.pollex.pam.business.service.dto.OtpResponseDTO;
import org.springframework.transaction.annotation.Transactional;
@Service
@@ -27,9 +28,6 @@
@Autowired
OtpTmpService otpTmpService;
- @Autowired
- LoginRecordService loginRecordService;
-
@Transactional
public void verifyOtp(VerifyOtpVM verifyOtpParam) {
verifyOtp(verifyOtpParam.getAccount(), verifyOtpParam.getIndexKey(), verifyOtpParam.getOtpCode());
@@ -37,31 +35,36 @@
@Transactional
public void verifyOtp(String account, String indexKey, String otpCode) {
- try {
- if(applicationProperty.isMockLogin()){
- loginRecordService.saveOTPLoginSuccessRecord(account);
- log.debug("Do MockLogin");
- } else { // otp logon
- OtpResponseDTO otpResponseDTO = otpWebService.verifyOTP(indexKey, otpCode);
- if (otpResponseDTO.isSuccess()) {
- loginRecordService.saveOTPLoginSuccessRecord(account);
- }
- else {
- loginRecordService.saveOTPLoginFailRecord(account, otpResponseDTO.getFailReason());
- throw new AuthenticationCredentialsNotFoundException("");
- }
+
+ OtpTmp otpTmp = otpTmpService.findByAccountAndIndexKey(account, indexKey);
+ if(otpTmp==null) {
+ log.info("otp login fail... , account = {}, indexKey = {}, failReason = {}", account, indexKey, "Index key and account field mismatch");
+ throw new OtpLoginFailException("otp error");
+ }
+
+ if (applicationProperty.isMockLogin()) {
+ log.debug("Do MockLogin");
+ } else { // otp logon
+
+ OtpResponseDTO otpResponseDTO = otpWebService.verifyOTP(indexKey, otpCode);
+ if (otpResponseDTO.isSuccess()) {
+ log.info("otp login success!, account = {}", account);
}
- setVerrifiedOtpTmp(account, indexKey);
- } catch (Exception e) {
- log.error("Exception: ", e);
- throw new AuthenticationCredentialsNotFoundException("");
+ else {
+ log.info("otp login fail... , account = {}, error code = {}, failReason = {}", account, otpResponseDTO.getFailCode(), otpResponseDTO.getFailReason());
+ throw new OtpLoginFailException(otpResponseDTO.getFailCode());
+ }
}
+ setVerrifiedOtpTmp(account, indexKey);
}
private void setVerrifiedOtpTmp(String account, String indexKey) {
OtpTmp otpTmp = otpTmpService.findByAccountAndIndexKey(account, indexKey);
- otpTmp.setStatus(OtpTmpStatusEnum.VERRIFIED);
- otpTmpService.save(otpTmp);
+ if(otpTmp!=null) {
+ otpTmp.setStatus(OtpTmpStatusEnum.VERRIFIED);
+ otpTmpService.save(otpTmp);
+ }
+
}
--
Gitblit v1.8.0