fix: Login secret text transmission (#29659)

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Joel <iamjoel007@gmail.com>
Co-authored-by: -LAN- <laipz8200@outlook.com>

web/app/signin/check-code/page.tsx

@@ -12,6 +12,7 @@ import { emailLoginWithCode, sendEMailLoginCode } from '@/service/common'
 import I18NContext from '@/context/i18n'
 import { resolvePostLoginRedirect } from '../utils/post-login-redirect'
 import { trackEvent } from '@/app/components/base/amplitude'
+import { encryptVerificationCode } from '@/utils/encryption'
 
 export default function CheckCode() {
   const { t, i18n } = useTranslation()
@@ -43,7 +44,7 @@ export default function CheckCode() {
         return
       }
       setIsLoading(true)
-      const ret = await emailLoginWithCode({ email, code, token, language })
+      const ret = await emailLoginWithCode({ email, code: encryptVerificationCode(code), token, language })
       if (ret.result === 'success') {
         // Track login success event
         trackEvent('user_login_success', {

web/app/signin/components/mail-and-password-auth.tsx

@@ -13,6 +13,7 @@ import { noop } from 'lodash-es'
 import { resolvePostLoginRedirect } from '../utils/post-login-redirect'
 import type { ResponseError } from '@/service/fetch'
 import { trackEvent } from '@/app/components/base/amplitude'
+import { encryptPassword } from '@/utils/encryption'
 
 type MailAndPasswordAuthProps = {
   isInvite: boolean
@@ -53,7 +54,7 @@ export default function MailAndPasswordAuth({ isInvite, isEmailSetup, allowRegis
       setIsLoading(true)
       const loginData: Record<string, any> = {
         email,
-        password,
+        password: encryptPassword(password),
         language: locale,
         remember_me: true,
       }

web/docker/entrypoint.sh

@@ -42,4 +42,5 @@ export NEXT_PUBLIC_LOOP_NODE_MAX_COUNT=${LOOP_NODE_MAX_COUNT}
 export NEXT_PUBLIC_MAX_PARALLEL_LIMIT=${MAX_PARALLEL_LIMIT}
 export NEXT_PUBLIC_MAX_ITERATIONS_NUM=${MAX_ITERATIONS_NUM}
 export NEXT_PUBLIC_MAX_TREE_DEPTH=${MAX_TREE_DEPTH}
+
 pm2 start /app/web/server.js --name dify-web --cwd /app/web -i ${PM2_INSTANCES} --no-daemon

web/package.json

@@ -288,4 +288,4 @@
       "sharp"
     ]
   }
-}
+}

web/utils/encryption.ts

@@ -0,0 +1,46 @@
+/**
+ * Field Encoding Utilities
+ * Provides Base64 encoding for sensitive fields (password, verification code)
+ * during transmission from frontend to backend.
+ *
+ * Note: This uses Base64 encoding for obfuscation, not cryptographic encryption.
+ * Real security relies on HTTPS for transport layer encryption.
+ */
+
+/**
+ * Encode sensitive field using Base64
+ * @param plaintext - The plain text to encode
+ * @returns Base64 encoded text
+ */
+export function encryptField(plaintext: string): string {
+  try {
+        // Base64 encode the plaintext
+        // btoa works with ASCII, so we need to handle UTF-8 properly
+    const utf8Bytes = new TextEncoder().encode(plaintext)
+    const base64 = btoa(String.fromCharCode(...utf8Bytes))
+    return base64
+  }
+  catch (error) {
+    console.error('Field encoding failed:', error)
+        // If encoding fails, throw error to prevent sending plaintext
+    throw new Error('Encoding failed. Please check your input.')
+  }
+}
+
+/**
+ * Encrypt password field for login
+ * @param password - Plain password
+ * @returns Encrypted password or original if encryption disabled
+ */
+export function encryptPassword(password: string): string {
+  return encryptField(password)
+}
+
+/**
+ * Encrypt verification code for email code login
+ * @param code - Plain verification code
+ * @returns Encrypted code or original if encryption disabled
+ */
+export function encryptVerificationCode(code: string): string {
+  return encryptField(code)
+}