Merge branch '20190522-VerifyCode' into 'master'

20190522 verify code VCC See merge request !30

Merge branch '20190522-VerifyCode' into 'master'
20190522 verify code VCC See merge request !30
3ecec227 · 技术部-任文超 · 84b61e36 · a2473769 · 3ecec227 · 3ecec227
Commit 3ecec227 authored Jul 15, 2019 by 技术部-任文超
15 changed files
--- a/src/main/java/cn/quantgroup/xyqb/config/data/RedisConfig.java
+++ b/src/main/java/cn/quantgroup/xyqb/config/data/RedisConfig.java
@@ -12,6 +12,7 @@ import org.springframework.data.redis.connection.RedisNode;
 import org.springframework.data.redis.connection.RedisSentinelConfiguration;
 import org.springframework.data.redis.connection.jedis.JedisConnectionFactory;
 import org.springframework.data.redis.core.RedisTemplate;
+import org.springframework.data.redis.core.StringRedisTemplate;
 import org.springframework.data.redis.serializer.JdkSerializationRedisSerializer;
 import org.springframework.data.redis.serializer.StringRedisSerializer;
 import redis.clients.jedis.JedisPoolConfig;
@@ -123,7 +124,7 @@ public class RedisConfig {
        final RedisTemplate<String, String> template = new RedisTemplate<>();
        StringRedisSerializer stringRedisSerializer = new StringRedisSerializer();
        JdkSerializationRedisSerializer jdkSerializationRedisSerializer = new JdkSerializationRedisSerializer();
-        template.setEnableTransactionSupport(true);
+        template.setEnableTransactionSupport(false);
        template.setKeySerializer(stringRedisSerializer);
        template.setHashKeySerializer(stringRedisSerializer);
        template.setValueSerializer(jdkSerializationRedisSerializer);

--- a/src/main/java/cn/quantgroup/xyqb/controller/external/user/AppController.java
+++ b/src/main/java/cn/quantgroup/xyqb/controller/external/user/AppController.java
@@ -56,10 +56,10 @@ public class AppController implements IBaseController {
     * @param idNo                - 用户身份证号
     * @param name                - 用户姓名
     * @param key                 - Merchant表name属性
-     * @param btRegisterChannelId - 白条注册渠道id
+     * @param btRegisterChannelId - 白条注册渠道ID
-     * @param registerFrom        - 注册渠道
+     * @param registerFrom        - 注册渠道（第一次用户来源channelId）
-     * @param channelId           -
+     * @param channelId           - 渠道ID
-     * @param appChannel          -
+     * @param appChannel          - 应用平台（应用商店、AppStore...）
     * @param request
     * @return Token和phoneNo
     */
@@ -105,11 +105,11 @@ public class AppController implements IBaseController {
     * @param phoneNo             - 手机号
     * @param idNo                - 用户身份证号
     * @param name                - 用户姓名
-     * @param key                 - Merchant表name属性
+     * @param key                 - merchant表的name属性（跳转相关）
     * @param btRegisterChannelId - 白条注册渠道id
-     * @param registerFrom        - 注册渠道
+     * @param registerFrom        - 注册渠道（第一次用户来源channelId）
-     * @param channelId           -
+     * @param channelId           - 渠道
-     * @param appChannel          -
+     * @param appChannel          - 应用平台（应用商店、AppStore...）
     * @param request
     * @return 用户信息
     */
@@ -151,6 +151,7 @@ public class AppController implements IBaseController {
        AuthBean bean = sessionService.createSession(user, loginProperties);
        LoginInfo loginInfo = new LoginInfo();
        loginInfo.setUser(new UserRet(user));
+        loginInfo.setHasPassword(user.getHasPassword());
        loginInfo.setToken(bean.getToken());
        LoginInfo.LoginContext context = new LoginInfo.LoginContext();
        context.setChannelId(channelId);
@@ -166,10 +167,10 @@ public class AppController implements IBaseController {
     * 第三方用户免密登录
     * 发现新手机号不会执行注册
     *
-     * @param phoneNo      - 手机号
+     * @param phoneNo             - 手机号
-     * @param registerFrom - 注册渠道
+     * @param registerFrom        - 注册渠道（第一次用户来源channelId）
-     * @param channelId    -
+     * @param channelId           - 渠道
-     * @param appChannel   -
+     * @param appChannel          - 应用平台（应用商店、AppStore...）
     * @param request
     * @return Token和phoneNo
     */

--- a/src/main/java/cn/quantgroup/xyqb/controller/external/user/InnerController.java
+++ b/src/main/java/cn/quantgroup/xyqb/controller/external/user/InnerController.java
@@ -1363,6 +1363,9 @@ public class InnerController implements IBaseController {
    @RequestMapping(path = "/user/password/reset", method = RequestMethod.POST)
    public JsonResult resetPassword(@RequestParam("phone") String phone, @RequestParam(required = false) String password) {
        if (ValidationUtil.validatePhoneNo(phone)) {
+            if (PasswordUtil.validPwd(password)) {
+                return JsonResult.buildErrorStateResult("密码应为6-12位", null);
+            }
            try {
                // 默认重置的密码是123456
                password = StringUtils.isBlank(password) ? "123456" : password;

--- a/src/main/java/cn/quantgroup/xyqb/controller/external/user/UserApiController.java
+++ b/src/main/java/cn/quantgroup/xyqb/controller/external/user/UserApiController.java
 package cn.quantgroup.xyqb.controller.external.user;
-import java.util.Objects;
-import javax.annotation.Resource;
-import org.apache.commons.lang3.StringUtils;
-import org.springframework.beans.factory.annotation.Qualifier;
-import org.springframework.data.redis.core.RedisTemplate;
-import org.springframework.web.bind.annotation.*;
-import io.swagger.annotations.ApiOperation;
-import io.swagger.annotations.ApiParam;
-import lombok.extern.slf4j.Slf4j;
 import cn.quantgroup.xyqb.Constants;
 import cn.quantgroup.xyqb.aspect.accessable.IpValidator;
 import cn.quantgroup.xyqb.entity.User;
+import cn.quantgroup.xyqb.exception.VerificationCodeErrorException;
 import cn.quantgroup.xyqb.model.JsonResult;
 import cn.quantgroup.xyqb.model.session.SessionStruct;
 import cn.quantgroup.xyqb.service.session.ISessionService;
+import cn.quantgroup.xyqb.service.sms.ISmsService;
 import cn.quantgroup.xyqb.service.user.IUserService;
 import cn.quantgroup.xyqb.session.XyqbSessionContextHolder;
 import cn.quantgroup.xyqb.util.ValidationUtil;
+import io.swagger.annotations.ApiOperation;
+import io.swagger.annotations.ApiParam;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.data.redis.core.RedisTemplate;
+import org.springframework.web.bind.annotation.*;
+import javax.annotation.Resource;
+import java.util.Objects;
 /**
 * Created by FrankChow on 15/12/16.
@@ -39,6 +37,8 @@ public class UserApiController {
    @Resource
    @Qualifier("stringRedisTemplate")
    private RedisTemplate<String, String> stringRedisTemplate;
+    @Resource
+    private ISmsService smsService;
    @RequestMapping("/user/is_passwd_set")
    public JsonResult isPasswordSet(String key, String phoneNo) {
@@ -64,7 +64,6 @@ public class UserApiController {
     * @return
     */
    @ApiOperation(notes = "检查token是否有效，如果有效，可选择是否延续生命期（延续后有效期24Hour）", value = "Check token and then prolong session", nickname = "checkToken")
    @IpValidator
    @RequestMapping(value = "/valid/{token}", method = RequestMethod.POST)
    public JsonResult checkToken(@ApiParam(value = "sid,session的id", required = true) @PathVariable("token") String token,
@@ -102,4 +101,24 @@ public class UserApiController {
        }
    }
+    /**
+     * 校验短信验证码
+     *
+     * @param phoneNo
+     * @param verificationCode
+     */
+    @IpValidator
+    @RequestMapping(value = "/verifyPhoneAndCode", method = RequestMethod.POST)
+    public JsonResult verifyPhoneAndCode(@RequestParam String phoneNo, @RequestParam String verificationCode) {
+        if (!smsService.verifyPhoneAndCode(phoneNo, verificationCode)) {
+            // 是否需要重新发送短信验证码
+            if (smsService.needResendCode(phoneNo)) {
+                throw new VerificationCodeErrorException("验证码失效，请重新获取");
+            }
+            log.info("验证码校验失败,phoneNo:{} , verificationCode:{}", phoneNo, verificationCode);
+            throw new VerificationCodeErrorException("短信验证码错误");
+        }
+        return JsonResult.buildSuccessResult(null);
+    }
 }
--- a/src/main/java/cn/quantgroup/xyqb/controller/internal/sms/SmsController.java
+++ b/src/main/java/cn/quantgroup/xyqb/controller/internal/sms/SmsController.java
 package cn.quantgroup.xyqb.controller.internal.sms;
 import cn.quantgroup.sms.MsgParams;
+import cn.quantgroup.tech.util.TechEnvironment;
 import cn.quantgroup.xyqb.Constants;
 import cn.quantgroup.xyqb.aspect.captcha.CaptchaNewValidator;
 import cn.quantgroup.xyqb.controller.IBaseController;
@@ -10,6 +11,7 @@ import cn.quantgroup.xyqb.service.sms.ISmsService;
 import cn.quantgroup.xyqb.util.DateUtils;
 import cn.quantgroup.xyqb.util.IPUtil;
 import cn.quantgroup.xyqb.util.ValidationUtil;
+import org.apache.commons.lang3.RandomStringUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -21,7 +23,10 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.UUID;
 import java.util.concurrent.TimeUnit;
 /**
@@ -32,7 +37,7 @@ import java.util.concurrent.TimeUnit;
 public class SmsController implements IBaseController {
    private static final Logger LOGGER = LoggerFactory.getLogger(SmsController.class);
-    private static final Random random = new Random();
+    private final static String RANDOM_CHARS = "0123456789";
    private static final long EXPIRE_MINUTES = 10;
    @Autowired
    private ISmsService smsService;
@@ -66,7 +71,8 @@ public class SmsController implements IBaseController {
                                      @RequestParam(required = false, defaultValue = "") String appName,
                                      @RequestParam(required = false) String smsMerchant) {
        LOGGER.info("注册-发送验证码, phoneNo:{}, registerFrom:{}", phoneNo, registerFrom);
-        return sendVerificationCode2(phoneNo, appName, smsMerchant);
+        String randomCode = getRandomCode(4);
+        return sendVerificationCode2(phoneNo, randomCode, appName, smsMerchant);
    }
    /**
@@ -85,7 +91,8 @@ public class SmsController implements IBaseController {
                                      @RequestParam(required = false, defaultValue = "") String appName,
                                      @RequestParam(required = false) String smsMerchant) {
        LOGGER.info("重置密码-发送验证码, phoneNo:{}, registerFrom:{}", phoneNo, registerFrom);
-        return sendVerificationCode2(phoneNo, appName, smsMerchant);
+        String randomCode = getRandomCode(4);
+        return sendVerificationCode2(phoneNo, randomCode, appName, smsMerchant);
    }
    /**
@@ -101,7 +108,8 @@ public class SmsController implements IBaseController {
            return JsonResult.buildErrorStateResult("参数校验失败.", null);
        }
        LOGGER.info("注册-发送验证码, phoneNo:{}, registerFrom:{}", phoneNo, registerFrom);
-        return sendVerificationCode2Voice(phoneNo, usage);
+        String randomCode = getRandomCode(4);
+        return sendVerificationCode2Voice(phoneNo, randomCode, usage);
    }
    @CaptchaNewValidator
@@ -113,7 +121,8 @@ public class SmsController implements IBaseController {
            return JsonResult.buildErrorStateResult("参数校验失败.", null);
        }
        LOGGER.info("重置密码-发送验证码, phoneNo:{}, registerFrom:{}", phoneNo, registerFrom);
-        return sendVerificationCode2Voice(phoneNo, usage);
+        String randomCode = getRandomCode(4);
+        return sendVerificationCode2Voice(phoneNo, randomCode, usage);
    }
    /**
@@ -128,7 +137,8 @@ public class SmsController implements IBaseController {
            return JsonResult.buildErrorStateResult("参数校验失败.", null);
        }
        LOGGER.info("快速登陆-发送验证码, phoneNo:{}, registerFrom:{}", phoneNo, registerFrom);
-        return sendVerificationCode2Voice(phoneNo, usage);
+        String randomCode = getRandomCode(4);
+        return sendVerificationCode2Voice(phoneNo, randomCode, usage);
    }
    /**
@@ -145,7 +155,8 @@ public class SmsController implements IBaseController {
                                    @RequestParam(required = false, defaultValue = "") String appName,
                                    @RequestParam(required = false) String smsMerchant) {
        LOGGER.info("快速登陆-发送验证码, phoneNo:{}, registerFrom:{}", phoneNo, registerFrom);
-        return sendVerificationCode2(phoneNo, appName, smsMerchant);
+        String randomCode = getRandomCode(4);
+        return sendVerificationCode2(phoneNo, randomCode, appName, smsMerchant);
    }
    /**
@@ -162,7 +173,8 @@ public class SmsController implements IBaseController {
                                     @RequestParam(required = false, defaultValue = "") String appName,
                                     @RequestParam(required = false) String smsMerchant) {
        LOGGER.info("快速注册-发送验证码, phoneNo:{}, registerFrom:{}", phoneNo, registerFrom);
-        return sendVerificationCode2(phoneNo, appName, smsMerchant);
+        String randomCode = getRandomCode(4);
+        return sendVerificationCode2(phoneNo, randomCode, appName, smsMerchant);
    }
    /**
@@ -173,7 +185,7 @@ public class SmsController implements IBaseController {
     * @param smsMerchant - 短信模板/类型
     * @return
     */
-    private JsonResult sendVerificationCode2(String phoneNo, String appName, String smsMerchant) {
+    private JsonResult sendVerificationCode2(String phoneNo, String randomCode, String appName, String smsMerchant) {
        if (!ValidationUtil.validatePhoneNo(phoneNo)) {
            return JsonResult.buildErrorStateResult("手机号格式有误", null);
        }
@@ -183,7 +195,6 @@ public class SmsController implements IBaseController {
        if (expire >= EXPIRE_MINUTES - 1) {
            return JsonResult.buildErrorStateResult("1分钟内不能重复获取验证码", null);
        }
-        String randomCode = smsIsDebug ? "0000" : String.valueOf(random.nextInt(8999) + 1000);
        String uniqueId = phoneNo + UUID.randomUUID().toString().replaceAll("-", "");
        List<String> newList = new ArrayList<>();
        newList.add(randomCode);
@@ -211,7 +222,7 @@ public class SmsController implements IBaseController {
        }
    }
-    private JsonResult sendVerificationCode2Voice(String phoneNo, String usage) {
+    private JsonResult sendVerificationCode2Voice(String phoneNo, String randomCode, String usage) {
        String verificationCountKey = Constants.REDIS_VOICE_CODE_COUNT + phoneNo;
        Long getVerificationCount = redisTemplate.opsForHash().increment(verificationCountKey, usage, 1);
        redisTemplate.expire(verificationCountKey, DateUtils.getSeconds(), TimeUnit.SECONDS);
@@ -227,7 +238,6 @@ public class SmsController implements IBaseController {
        if (expire >= EXPIRE_MINUTES - 1) {
            return JsonResult.buildErrorStateResult("1分钟内不能重复获取验证码", null);
        }
-        String randomCode = smsIsDebug ? "0000" : String.valueOf(random.nextInt(8999) + 1000);
        String uniqueId = phoneNo + UUID.randomUUID().toString().replaceAll("-", "");
        MsgParams message = new MsgParams(Collections.singletonList(4), phoneNo, "1", "4", Collections.singletonList(randomCode), uniqueId);
        try {
@@ -253,8 +263,8 @@ public class SmsController implements IBaseController {
            return JsonResult.buildErrorStateResult("参数校验失败.", null);
        }
        LOGGER.info("快速登陆-发送验证码, phoneNo:{}, registerFrom:{}", phoneNo, registerFrom);
+        String randomCode = getRandomCode(4);
-        return sendVerificationCode2VoiceNew(phoneNo, usage, deviceId);
+        return sendVerificationCode2VoiceNew(phoneNo, randomCode, usage, deviceId);
    }
    /**
@@ -274,7 +284,8 @@ public class SmsController implements IBaseController {
                                          @RequestParam(required = false, defaultValue = "") String appName,
                                          @RequestParam(required = false) String smsMerchant) {
        LOGGER.info("快速登陆-发送验证码, phoneNo:{}, registerFrom:{}", phoneNo, registerFrom);
-        return sendVerificationCode2New(phoneNo, deviceId, true, appName, smsMerchant);
+        String randomCode = getRandomCode(4);
+        return sendVerificationCode2New(phoneNo, randomCode, deviceId, true, appName, smsMerchant);
    }
    /**
@@ -294,7 +305,41 @@ public class SmsController implements IBaseController {
                                               @RequestParam(required = false, defaultValue = "") String appName,
                                               @RequestParam(required = false) String smsMerchant) {
        LOGGER.info("快速登陆-发送验证码, phoneNo:{}, registerFrom:{}", phoneNo, registerFrom);
-        return sendVerificationCode2New(phoneNo, deviceId, false, appName, smsMerchant);
+        String randomCode = getRandomCode(4);
+        return sendVerificationCode2New(phoneNo, randomCode, deviceId, false, appName, smsMerchant);
+    }
+    /**
+     * VCC通用 - 发送短信验证码
+     *
+     * @param phoneNo      - 手机号
+     * @param registerFrom -
+     * @param deviceId     -
+     * @param appName      -
+     * @param smsMerchant  - 短信模板/类型
+     */
+    @CaptchaNewValidator
+    @RequestMapping("/send_vcc_sms_code")
+    public JsonResult sendVccSmsCode(@RequestParam String phoneNo,
+                                          @RequestParam(required = false) String registerFrom,
+                                          @RequestParam(required = false) String deviceId,
+                                          @RequestParam(required = false, defaultValue = "") String appName,
+                                          @RequestParam(required = false) String smsMerchant) {
+        LOGGER.info("VCC-发送验证码, phoneNo:{}, registerFrom:{}", phoneNo, registerFrom);
+        String randomCode = getRandomCode(6);
+        return sendVerificationCode2New(phoneNo, randomCode, deviceId, true, appName, smsMerchant);
+    }
+    private String getRandomCode(int count) {
+        if(TechEnvironment.isPro()) {
+            return RandomStringUtils.random(count, RANDOM_CHARS);
+        }
+        switch (count){
+            case 6:
+                return "000000";
+            default:
+                return "0000";
+        }
    }
    /**
@@ -307,7 +352,7 @@ public class SmsController implements IBaseController {
     * @param smsMerchant - 短信模板/类型
     * @return
     */
-    private JsonResult sendVerificationCode2New(String phoneNo, String deviceId, boolean isApp, String appName, String smsMerchant) {
+    private JsonResult sendVerificationCode2New(String phoneNo, String randomCode, String deviceId, boolean isApp, String appName, String smsMerchant) {
        if (!ValidationUtil.validatePhoneNo(phoneNo)) {
            return JsonResult.buildErrorStateResult("手机号格式有误", null);
        }
@@ -350,7 +395,6 @@ public class SmsController implements IBaseController {
            LOGGER.info("sendVerificationCode2New1分钟内不能重复获取验证码:phoneNo:{},deviceId:{},ip:{}", phoneNo, deviceId, clientIp);
            return JsonResult.buildErrorStateResult("1分钟内不能重复获取验证码", null);
        }
-        String randomCode = smsIsDebug ? "0000" : String.valueOf(random.nextInt(8999) + 1000);
        String uniqueId = phoneNo + UUID.randomUUID().toString().replaceAll("-", "");
        List<String> newList = new ArrayList<>();
        newList.add(randomCode);
@@ -383,7 +427,7 @@ public class SmsController implements IBaseController {
    /**
     * 新版本语音验证码
     */
-    private JsonResult sendVerificationCode2VoiceNew(String phoneNo, String usage, String deviceId) {
+    private JsonResult sendVerificationCode2VoiceNew(String phoneNo, String randomCode, String usage, String deviceId) {
        if (!ValidationUtil.validatePhoneNo(phoneNo)) {
            return JsonResult.buildErrorStateResult("手机号格式有误", null);
        }
@@ -431,7 +475,6 @@ public class SmsController implements IBaseController {
        if (expire >= EXPIRE_MINUTES - 1) {
            return JsonResult.buildErrorStateResult("1分钟内不能重复获取验证码", null);
        }
-        String randomCode = smsIsDebug ? "0000" : String.valueOf(random.nextInt(8999) + 1000);
        String uniqueId = phoneNo + UUID.randomUUID().toString().replaceAll("-", "");
        MsgParams message = new MsgParams(Collections.singletonList(4), phoneNo, "1", "4", Collections.singletonList(randomCode), uniqueId);
        try {

--- a/src/main/java/cn/quantgroup/xyqb/controller/internal/user/UserController.java
+++ b/src/main/java/cn/quantgroup/xyqb/controller/internal/user/UserController.java
@@ -4,6 +4,7 @@ import cn.quantgroup.tech.util.TechEnvironment;
 import cn.quantgroup.xyqb.Constants;
 import cn.quantgroup.xyqb.aspect.accessable.IpValidator;
 import cn.quantgroup.xyqb.aspect.captcha.CaptchaFiniteValidator;
+import cn.quantgroup.xyqb.aspect.limit.PasswordFreeAccessValidator;
 import cn.quantgroup.xyqb.aspect.lock.PasswordErrorFiniteValidator;
 import cn.quantgroup.xyqb.controller.IBaseController;
 import cn.quantgroup.xyqb.entity.Merchant;
@@ -27,6 +28,7 @@ import cn.quantgroup.xyqb.util.MqUtils;
 import cn.quantgroup.xyqb.util.PasswordUtil;
 import cn.quantgroup.xyqb.util.ValidationUtil;
 import com.alibaba.fastjson.JSON;
+import io.swagger.annotations.ApiOperation;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.lang.StringUtils;
@@ -34,6 +36,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.data.redis.core.RedisTemplate;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
@@ -260,7 +263,7 @@ public class UserController implements IBaseController {
            log.info("用户注册失败，密码不能为空：register -> registerFrom:{}, phoneNo:{}, password:{}", registerFrom, phoneNo, password);
            return JsonResult.buildErrorStateResult("密码不能为空", null);
        }
-        if (password.length() < 6 || password.length() > 12) {
+        if (PasswordUtil.validPwd(password)) {
            log.info("用户注册失败，密码长度须在6位至12位之间：register -> registerFrom:{}, phoneNo:{}, password:{}", registerFrom, phoneNo, password);
            return JsonResult.buildErrorStateResult("密码应为6-12位", null);
        }
@@ -330,10 +333,10 @@ public class UserController implements IBaseController {
        if (!ValidationUtil.validatePhoneNo(phoneNo)) {
            return JsonResult.buildErrorStateResult("手机号错误", null);
        }
-        if (StringUtils.isEmpty(password)) {
+        if (StringUtils.isBlank(password)) {
            return JsonResult.buildErrorStateResult("密码不能为空", null);
        }
-        if (password.length() < 6 || password.length() > 12) {
+        if (PasswordUtil.validPwd(password)) {
            return JsonResult.buildErrorStateResult("密码应为6-12位", null);
        }
        verifyPhoneAndCode(phoneNo, verificationCode);
@@ -350,6 +353,43 @@ public class UserController implements IBaseController {
        return JsonResult.buildSuccessResult(null, null);
    }
+    /**
+     * 重置密码
+     */
+    @PasswordFreeAccessValidator
+    @RequestMapping(path = "/resetPassword", method = RequestMethod.POST)
+    public JsonResult resetPassword(@RequestParam String phoneNo, @RequestParam String password, @RequestParam(required = false) String passwordNew) {
+        if (!ValidationUtil.validatePhoneNo(phoneNo)) {
+            return JsonResult.buildErrorStateResult("手机号错误", null);
+        }
+        if (StringUtils.isBlank(passwordNew)) {
+            return JsonResult.buildErrorStateResult("密码不能为空", null);
+        }
+        if (PasswordUtil.validPwd(password)) {
+            return JsonResult.buildErrorStateResult("密码应为6-12位", null);
+        }
+        User user = userService.findByPhoneWithCache(phoneNo);
+        if (Objects.isNull(user)) {
+            log.info("修改密码失败，该手机号尚未注册, phoneNo:{}", phoneNo);
+            return JsonResult.buildErrorStateResult("修改密码失败", null);
+        }
+        if (!user.getEnable()) {
+            log.info("修改密码失败，该用户已禁用, phoneNo:{}", phoneNo);
+            return JsonResult.buildErrorStateResult("修改密码失败", null);
+        }
+        // 验证密码：原密码不存在时，必须为空
+        if (StringUtils.isBlank(user.getPassword()) ^ StringUtils.isBlank(password)) {
+            return JsonResult.buildErrorStateResult("修改密码失败", null);
+        }
+        if (StringUtils.isNotBlank(user.getPassword()) && !validatePassword(password, user.getPassword())) {
+            return JsonResult.buildErrorStateResult("修改密码失败", null);
+        }
+        if (!userService.resetPassword(phoneNo, passwordNew)) {
+            return JsonResult.buildErrorStateResult("修改密码失败", null);
+        }
+        return JsonResult.buildSuccessResult("修改密码成功");
+    }
    /**
     * 检查token是否已经过期不存在了
@@ -440,8 +480,19 @@ public class UserController implements IBaseController {
        return user;
    }
+    /**
+     * 账密登陆
+     *
+     * @param paramPass 不允许空密码
+     * @param targetPassword
+     * @return
+     */
    private boolean validatePassword(String paramPass, String targetPassword) {
-        return StringUtils.defaultString(targetPassword, "").equals(PasswordUtil.MD5(paramPass.toLowerCase() + Constants.PASSWORD_SALT));
+        if(StringUtils.isBlank(paramPass)){
+            return false;
+        }
+        String thePassword = PasswordUtil.MD5(paramPass.toLowerCase() + Constants.PASSWORD_SALT);
+        return Objects.equals(thePassword, targetPassword);
    }
    private JsonResult loginWithUserId(Long channelId, String appChannel, Long createdFrom, String userId, Merchant merchant, String dimension, HttpServletRequest request) {
@@ -494,10 +545,6 @@ public class UserController implements IBaseController {
     * @param verificationCode
     */
    private void verifyPhoneAndCode(String phoneNo, String verificationCode) {
-        // 非生产环境直接跳过验证码检验
-        if (!TechEnvironment.isPro()) {
-            return;
-        }
        if (!smsService.verifyPhoneAndCode(phoneNo, verificationCode)) {
            // 是否需要重新发送短信验证码
            if (smsService.needResendCode(phoneNo)) {

--- a/src/main/java/cn/quantgroup/xyqb/entity/User.java
+++ b/src/main/java/cn/quantgroup/xyqb/entity/User.java
@@ -9,6 +9,7 @@ import lombok.ToString;
 import javax.persistence.*;
 import java.io.Serializable;
 import java.sql.Timestamp;
+import java.util.Objects;
 /**
 * Created by Miraculous on 15/7/4.
@@ -55,5 +56,12 @@ public class User implements Serializable {
    @JSONField(serializeUsing = Timestamp2LongConverter.class)
    private Timestamp updatedAt;
+    /**
+     * 是否有密码
+     * @return
+     */
+    public boolean getHasPassword() {
+        return Objects.nonNull(password) && !Objects.equals("", password);
+    }
 }
--- a/src/main/java/cn/quantgroup/xyqb/model/AuthBean.java
+++ b/src/main/java/cn/quantgroup/xyqb/model/AuthBean.java
@@ -4,6 +4,7 @@ import lombok.Getter;
 import lombok.Setter;
 import java.security.Principal;
+import java.util.Objects;
 /**
 * Created by Miraculous on 15/7/9.
@@ -15,6 +16,7 @@ public class AuthBean {
    private String token;
    private String phoneNo;
    private String uuid;
+    private boolean hasPassword;
    public AuthBean(String token, Principal user) {
        this.token = token;

--- a/src/main/java/cn/quantgroup/xyqb/model/UserRet.java
+++ b/src/main/java/cn/quantgroup/xyqb/model/UserRet.java
@@ -36,6 +36,12 @@ public class UserRet implements Serializable {
    //上一次修改时间
    private Long updatedAt;
+    /**
+     * 是否有密码
+     * @return
+     */
+    private boolean hasPassword;
    public UserRet(User user) {
        if(Objects.isNull(user)){
            return;
@@ -46,6 +52,7 @@ public class UserRet implements Serializable {
        this.setPhoneNo(user.getPhoneNo());
        this.setEnable(user.getEnable());
        this.setPassword("");
+        this.hasPassword = Objects.nonNull(password) && !Objects.equals("", password);
        this.setRegisteredFrom(user.getRegisteredFrom());
        this.setUuid(user.getUuid());
        this.setCreatedAt(createTimeStamp);

--- a/src/main/java/cn/quantgroup/xyqb/model/session/LoginInfo.java
+++ b/src/main/java/cn/quantgroup/xyqb/model/session/LoginInfo.java
@@ -12,6 +12,11 @@ public class LoginInfo {
    private String token;
    private UserRet user;
    private LoginContext loginContext;
+    /**
+     * 是否有密码
+     * @return
+     */
+    private boolean hasPassword;
    @Data
    public static class LoginContext {

--- a/src/main/java/cn/quantgroup/xyqb/service/register/impl/UserRegisterServiceImpl.java
+++ b/src/main/java/cn/quantgroup/xyqb/service/register/impl/UserRegisterServiceImpl.java
@@ -43,9 +43,14 @@ public class UserRegisterServiceImpl implements IUserRegisterService {
    @Override
    public User register(Long registerFrom, String phoneNo, String idNo, String name, Long channelId, Long btRegisterChannelId) {
        UserRegisterParam userRegisterParam = UserRegisterParam.builder()
-                .registerFrom(registerFrom).phoneNo(phoneNo).idNo(idNo).name(name)
+                .registerFrom(registerFrom)
-                .channelId(channelId).btRegisterChannelId(btRegisterChannelId)
+                .phoneNo(phoneNo)
-                .generateRandomPwd(true).sendSuccessSms(true).sendAppSms(true)
+                .idNo(idNo)
+                .name(name)
+                .channelId(channelId)
+                .btRegisterChannelId(btRegisterChannelId)
+                .sendSuccessSms(true)
+                .sendAppSms(true)
                .sendSuccessMq(true)
                .build();
        User user = saveUser(userRegisterParam);
@@ -74,7 +79,9 @@ public class UserRegisterServiceImpl implements IUserRegisterService {
        if (userRegisterParam.isGenerateRandomPwd()) {
            password = PasswordUtil.generateRandomPwd(Constants.RANDOM_PWD_LEN);
        }
-        user.setPassword(PasswordUtil.MD5(password.toLowerCase() + Constants.PASSWORD_SALT));
+        if (StringUtils.isNotBlank(password)) {
+            user.setPassword(PasswordUtil.MD5WithSalt(password));
+        }
        Timestamp currentTime = new Timestamp(System.currentTimeMillis());
        user.setUpdatedAt(currentTime);
        user.setCreatedAt(currentTime);
@@ -88,10 +95,13 @@ public class UserRegisterServiceImpl implements IUserRegisterService {
    @Override
    public boolean register(String phoneNo, String password, Long registerFrom, String ip, Long channelId, Long btRegisterChannelId, String dimension) {
        UserRegisterParam userRegisterParam = UserRegisterParam.builder()
-                .registerFrom(registerFrom).phoneNo(phoneNo).password(password)
+                .registerFrom(registerFrom)
-                .channelId(channelId).btRegisterChannelId(btRegisterChannelId)
+                .phoneNo(phoneNo).password(password)
+                .channelId(channelId)
+                .btRegisterChannelId(btRegisterChannelId)
                .dimension(dimension)
-                .generateRandomPwd(false).sendSuccessSms(true).sendAppSms(true)
+                .sendSuccessSms(true)
+                .sendAppSms(true)
                .sendSuccessMq(true)
                .build();
        User user = saveUser(userRegisterParam);
@@ -103,10 +113,13 @@ public class UserRegisterServiceImpl implements IUserRegisterService {
    @Override
    public User register(String phoneNo, Long channelId, Long registerFrom, String appChannel, Long btRegisterChannelId, String dimension) {
        UserRegisterParam userRegisterParam = UserRegisterParam.builder()
-                .registerFrom(registerFrom).phoneNo(phoneNo)
+                .registerFrom(registerFrom)
-                .channelId(channelId).btRegisterChannelId(btRegisterChannelId)
+                .phoneNo(phoneNo)
+                .channelId(channelId)
+                .btRegisterChannelId(btRegisterChannelId)
                .dimension(dimension)
-                .generateRandomPwd(true).sendSuccessSms(true).sendAppSms(true)
+                .sendSuccessSms(true)
+                .sendAppSms(true)
                .sendSuccessMq(true)
                .build();
        User user = saveUser(userRegisterParam);
@@ -118,12 +131,17 @@ public class UserRegisterServiceImpl implements IUserRegisterService {
    @Override
    public User register(Long registeredFrom, Long channelId, String phoneNo, String name, String idNo, Address addressObj, String contacts, List<Contact> contactList, Long btRegisterChannelId) {
        UserRegisterParam userRegisterParam = UserRegisterParam.builder()
-                .registerFrom(registeredFrom).phoneNo(phoneNo).idNo(idNo).name(name)
+                .registerFrom(registeredFrom)
+                .phoneNo(phoneNo)
+                .idNo(idNo)
+                .name(name)
                .channelId(channelId)
                .btRegisterChannelId(btRegisterChannelId)
-                .address(addressObj).contacts(contacts)
+                .address(addressObj)
+                .contacts(contacts)
                .contactList(contactList)
-                .generateRandomPwd(true).sendSuccessSms(true).sendAppSms(true)
+                .sendSuccessSms(true)
+                .sendAppSms(true)
                .sendSuccessMq(true)
                .build();
        User user = saveUser(userRegisterParam);

--- a/src/main/java/cn/quantgroup/xyqb/service/session/impl/SessionServiceImpl.java
+++ b/src/main/java/cn/quantgroup/xyqb/service/session/impl/SessionServiceImpl.java
@@ -70,6 +70,7 @@ public class SessionServiceImpl implements ISessionService {
        authBean.setPhoneNo(user.getPhoneNo());
        authBean.setToken(sessionStruct.getSid());
        authBean.setUuid(uuid);
+        authBean.setHasPassword(user.getHasPassword());
        log.info("用户登录成功, loginFrom:{}, phoneNo:{},appChannel:{},channelId:{}", properties.getCreatedFrom(), user.getPhoneNo(), properties.getAppChannel(), properties.getChannelId());
        return authBean;
    }

--- a/src/main/java/cn/quantgroup/xyqb/service/sms/impl/SmsServiceImpl.java
+++ b/src/main/java/cn/quantgroup/xyqb/service/sms/impl/SmsServiceImpl.java
@@ -2,6 +2,7 @@ package cn.quantgroup.xyqb.service.sms.impl;
 import cn.quantgroup.sms.MsgParams;
 import cn.quantgroup.sms.SmsSender;
+import cn.quantgroup.tech.util.TechEnvironment;
 import cn.quantgroup.xyqb.Constants;
 import cn.quantgroup.xyqb.service.sms.ISmsService;
 import lombok.Synchronized;
@@ -87,6 +88,10 @@ public class SmsServiceImpl implements ISmsService {
     */
    @Override
    public boolean verifyPhoneAndCode(String phoneNo, String verificationCode) {
+        // 非生产环境直接跳过验证码检验
+        if (!TechEnvironment.isPro()) {
+            return true;
+        }
        String key = Constants.REDIS_PREFIX_VERIFICATION_CODE + phoneNo;
        String randomCode = stringRedisTemplate.opsForValue().get(key);
        if (StringUtils.isBlank(randomCode)) {

--- a/src/main/java/cn/quantgroup/xyqb/util/PasswordUtil.java
+++ b/src/main/java/cn/quantgroup/xyqb/util/PasswordUtil.java
@@ -2,8 +2,10 @@ package cn.quantgroup.xyqb.util;
 import cn.quantgroup.xyqb.Constants;
 import com.google.common.base.Preconditions;
+import org.apache.commons.lang3.StringUtils;
 import java.security.MessageDigest;
+import java.util.Objects;
 import java.util.concurrent.ThreadLocalRandom;
 /**
@@ -22,10 +24,16 @@ public class PasswordUtil {
    };
    public final static String MD5WithSalt(String s){
+        if(Objects.isNull(s)){
+            return null;
+        }
        return MD5(s.toLowerCase() + Constants.PASSWORD_SALT);
    }
    public final static String MD5(String s) {
+        if(Objects.isNull(s)){
+            return null;
+        }
        try {
            byte[] strTemp = s.getBytes("utf-8");
            MessageDigest mdTemp = MessageDigest.getInstance("MD5");
@@ -67,4 +75,14 @@ public class PasswordUtil {
        return pwd.toString();
    }
+    /**
+     * 校验密码是否合法
+     *
+     * @param password
+     * @return
+     */
+    public static boolean validPwd(String password) {
+        return Objects.nonNull(password) && (password.length() < 6 || password.length() > 12);
+    }
 }
--- a/src/test/java/common/TestJdk8.java
+++ b/src/test/java/common/TestJdk8.java
@@ -2,12 +2,14 @@ package common;
 import java.util.Arrays;
 import java.util.List;
+import java.util.Random;
 import java.util.UUID;
 import java.util.stream.Collectors;
 import cn.quantgroup.xyqb.Constants;
 import cn.quantgroup.xyqb.util.AESUtil;
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang.RandomStringUtils;
 import org.junit.Assert;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -18,6 +20,7 @@ import cn.quantgroup.xyqb.util.ValidationUtil;
 @Slf4j
 @RunWith(JUnit4.class)
 public class TestJdk8 {
+    final static String RANDOM_CHARS = "0123456789";
    @Test
    public void testString() {
@@ -46,4 +49,11 @@ public class TestJdk8 {
        log.info("uuid:{}", uuid);
    }
+    @Test
+    public void random() {
+        for(int i=0; i<10; i++){
+            log.info("{}-random:{}", i, RandomStringUtils.random(6, RANDOM_CHARS));
+        }
+    }
 }