createTokenByAccountOrEmail缺陷，测试密码是否正确时缺少对密码是否为空的判断

Question

createTokenByAccountOrEmail缺陷，测试密码是否正确时缺少对密码是否为空的判断

Closed this issue a year ago · 1 comments

if (user == null) {
            QueryWrapper<User> queryAccountWrapper = new QueryWrapper<>();
            queryAccountWrapper.eq("account", accountOrEmail);
            user = userMapper.selectOne(queryAccountWrapper);
            if (user == null) {
                return Result.fail(TCode.ACCOUNT_NOT_EXIST.getCode(), "User does not exist", null);
            }
        }

        boolean matches = passwordEncoder.matches(password, user.getPassword());
        if (!matches) {
            return Result.fail(TCode.PWD_ERROR.getCode(), TCode.PWD_ERROR.getMsg(), null);
        }

在上面的代码中，没有对于密码是否为空的判断，在判断完用户是否存在之后就直接去对密码进行了匹配

main-voice commented a year ago

已解决