[Improvement][security] get-user-info API endpoint should not return the user's password in MD5 format

[Gallardot]

Search before asking

• I had searched in the issues and found no similar feature requirement.

Description

The get-user-info API endpoint currently returns the user's password in MD5 format, which is then stored in the local storage by the web front-end.

dolphinscheduler/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/controller/UsersController.java

Lines 447 to 450 in 37ecd26

	public Result getUserInfo(@Parameter(hidden = true) @RequestAttribute(value = Constants.SESSION_USER) User loginUser) {
	Map<String, Object> result = usersService.getUserInfo(loginUser);
	return returnDataList(result);
	}

dolphinscheduler/dolphinscheduler-ui/src/views/login/use-login.ts

Lines 44 to 45 in 37ecd26

	const userInfoRes: UserInfoRes = await getUserInfo()
	await userStore.setUserInfo(userInfoRes)

However, there is no functionality that requires the use of this password. Moreover, this password is just a simple MD5 hash, which can be easily cracked.

dolphinscheduler/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/UsersServiceImpl.java

Line 211 in 37ecd26

user.setUserPassword(EncryptionUtils.getMd5(userPassword));

Therefore, I believe that get-user-info API endpoint should not return the password in MD5 format.

Are you willing to submit a PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct