Support logging in with encrypted password (#3480)

#### What type of PR is this? /kind feature /kind api-change /area core /area console #### What this PR does / why we need it: This PR creates AuthenticationWebFilter by ourselves instead of using FormLoginSpec directly. Because we have no chance to customize `org.springframework.security.web.server.authentication.ServerAuthenticationConverter` currently. Meanwhile, we provide CryptoService(RSA) to generate key pair, get public key and decrypt message encrypted by public key. There is a new endpoint to get public key which is used by console: ```bash ❯ curl localhost:8090/login/public-key -s | jq . { "base64Format": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAouDtdDS751U8NcWfAAQ53ijEtkLnIHh1Thqkq5QHGslq2hBmWnNsIZFnc/bwVp00ImKLV2NtLgOuv5RRNS5iO+oqRvfOGdXLdW2nzqU2towtaMkYTEMJrsNMZp5BUNCGI7Z2xpPBZzvys0d1BvcpNFobX/LkOtcTyfB1DRp9ZAhxRYOZkTkCzaKo+6X11lnMexTsB3exzaXk9rRZ8XoJ+dWT5G0URs/PF2cDkgxuMdOFJzqDsb9HQYGI/etajdCcKs7mZsjmDgse9Cw9/3mgoTNnEGx9Wl89S0P+FJ7T5DALGt3/nSAlzmKdXJNBLf6Q44ogFpTWdq27JpJD3SKicQIDAQAB" } ``` #### Which issue(s) this PR fixes: Fixes https://github.com/halo-dev/halo/issues/3419 #### Does this PR introduce a user-facing change? ```release-note 支持登录时密码加密传输 ```
2023-03-08 17:52:12 +08:00 · 2023-03-08 17:52:12 +08:00 · d192b8c956
parent df2300144e
commit d192b8c956
24 changed files with 951 additions and 126 deletions
--- a/console/package.json
+++ b/console/package.json
@ -83,7 +83,8 @@
    "vue-grid-layout": "3.0.0-beta1",
    "vue-i18n": "^9.2.2",
    "vue-router": "^4.1.6",
-    "vuedraggable": "^4.1.0"
+    "vuedraggable": "^4.1.0",
+    "jsencrypt": "^3.3.2"
  },
  "devDependencies": {
    "@changesets/cli": "^2.25.2",
--- a/console/packages/api-client/src/.openapi-generator/FILES
+++ b/console/packages/api-client/src/.openapi-generator/FILES
@ -21,6 +21,7 @@ api/content-halo-run-v1alpha1-reply-api.ts
 api/content-halo-run-v1alpha1-single-page-api.ts
 api/content-halo-run-v1alpha1-snapshot-api.ts
 api/content-halo-run-v1alpha1-tag-api.ts
+api/login-api.ts
 api/metrics-halo-run-v1alpha1-counter-api.ts
 api/plugin-halo-run-v1alpha1-plugin-api.ts
 api/plugin-halo-run-v1alpha1-reverse-proxy-api.ts
@ -133,6 +134,7 @@ models/post-request.ts
 models/post-spec.ts
 models/post-status.ts
 models/post.ts
+models/public-key-response.ts
 models/ref.ts
 models/reply-list.ts
 models/reply-request.ts
--- a/console/packages/api-client/src/api.ts
+++ b/console/packages/api-client/src/api.ts
@ -32,6 +32,7 @@ export * from "./api/content-halo-run-v1alpha1-reply-api";
 export * from "./api/content-halo-run-v1alpha1-single-page-api";
 export * from "./api/content-halo-run-v1alpha1-snapshot-api";
 export * from "./api/content-halo-run-v1alpha1-tag-api";
+export * from "./api/login-api";
 export * from "./api/metrics-halo-run-v1alpha1-counter-api";
 export * from "./api/plugin-halo-run-v1alpha1-plugin-api";
 export * from "./api/plugin-halo-run-v1alpha1-reverse-proxy-api";
--- a/console/packages/api-client/src/api/login-api.ts
+++ b/console/packages/api-client/src/api/login-api.ts
@ -0,0 +1,176 @@
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * Halo Next API
+ * No description provided (generated by Openapi Generator https://github.com/openapitools/openapi-generator)
+ *
+ * The version of the OpenAPI document: 2.0.0
+ *
+ *
+ * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
+ * https://openapi-generator.tech
+ * Do not edit the class manually.
+ */
+
+import type { Configuration } from "../configuration";
+import type { AxiosPromise, AxiosInstance, AxiosRequestConfig } from "axios";
+import globalAxios from "axios";
+// Some imports not used depending on template conditions
+// @ts-ignore
+import {
+  DUMMY_BASE_URL,
+  assertParamExists,
+  setApiKeyToObject,
+  setBasicAuthToObject,
+  setBearerAuthToObject,
+  setOAuthToObject,
+  setSearchParams,
+  serializeDataIfNeeded,
+  toPathString,
+  createRequestFunction,
+} from "../common";
+// @ts-ignore
+import {
+  BASE_PATH,
+  COLLECTION_FORMATS,
+  RequestArgs,
+  BaseAPI,
+  RequiredError,
+} from "../base";
+// @ts-ignore
+import { PublicKeyResponse } from "../models";
+/**
+ * LoginApi - axios parameter creator
+ * @export
+ */
+export const LoginApiAxiosParamCreator = function (
+  configuration?: Configuration
+) {
+  return {
+    /**
+     * Read public key for encrypting password.
+     * @param {*} [options] Override http request option.
+     * @throws {RequiredError}
+     */
+    getPublicKey: async (
+      options: AxiosRequestConfig = {}
+    ): Promise<RequestArgs> => {
+      const localVarPath = `/login/public-key`;
+      // use dummy base URL string because the URL constructor only accepts absolute URLs.
+      const localVarUrlObj = new URL(localVarPath, DUMMY_BASE_URL);
+      let baseOptions;
+      if (configuration) {
+        baseOptions = configuration.baseOptions;
+      }
+
+      const localVarRequestOptions = {
+        method: "GET",
+        ...baseOptions,
+        ...options,
+      };
+      const localVarHeaderParameter = {} as any;
+      const localVarQueryParameter = {} as any;
+
+      // authentication BasicAuth required
+      // http basic authentication required
+      setBasicAuthToObject(localVarRequestOptions, configuration);
+
+      // authentication BearerAuth required
+      // http bearer authentication required
+      await setBearerAuthToObject(localVarHeaderParameter, configuration);
+
+      setSearchParams(localVarUrlObj, localVarQueryParameter);
+      let headersFromBaseOptions =
+        baseOptions && baseOptions.headers ? baseOptions.headers : {};
+      localVarRequestOptions.headers = {
+        ...localVarHeaderParameter,
+        ...headersFromBaseOptions,
+        ...options.headers,
+      };
+
+      return {
+        url: toPathString(localVarUrlObj),
+        options: localVarRequestOptions,
+      };
+    },
+  };
+};
+
+/**
+ * LoginApi - functional programming interface
+ * @export
+ */
+export const LoginApiFp = function (configuration?: Configuration) {
+  const localVarAxiosParamCreator = LoginApiAxiosParamCreator(configuration);
+  return {
+    /**
+     * Read public key for encrypting password.
+     * @param {*} [options] Override http request option.
+     * @throws {RequiredError}
+     */
+    async getPublicKey(
+      options?: AxiosRequestConfig
+    ): Promise<
+      (
+        axios?: AxiosInstance,
+        basePath?: string
+      ) => AxiosPromise<PublicKeyResponse>
+    > {
+      const localVarAxiosArgs = await localVarAxiosParamCreator.getPublicKey(
+        options
+      );
+      return createRequestFunction(
+        localVarAxiosArgs,
+        globalAxios,
+        BASE_PATH,
+        configuration
+      );
+    },
+  };
+};
+
+/**
+ * LoginApi - factory interface
+ * @export
+ */
+export const LoginApiFactory = function (
+  configuration?: Configuration,
+  basePath?: string,
+  axios?: AxiosInstance
+) {
+  const localVarFp = LoginApiFp(configuration);
+  return {
+    /**
+     * Read public key for encrypting password.
+     * @param {*} [options] Override http request option.
+     * @throws {RequiredError}
+     */
+    getPublicKey(
+      options?: AxiosRequestConfig
+    ): AxiosPromise<PublicKeyResponse> {
+      return localVarFp
+        .getPublicKey(options)
+        .then((request) => request(axios, basePath));
+    },
+  };
+};
+
+/**
+ * LoginApi - object-oriented interface
+ * @export
+ * @class LoginApi
+ * @extends {BaseAPI}
+ */
+export class LoginApi extends BaseAPI {
+  /**
+   * Read public key for encrypting password.
+   * @param {*} [options] Override http request option.
+   * @throws {RequiredError}
+   * @memberof LoginApi
+   */
+  public getPublicKey(options?: AxiosRequestConfig) {
+    return LoginApiFp(this.configuration)
+      .getPublicKey(options)
+      .then((request) => request(this.axios, this.basePath));
+  }
+}
--- a/console/packages/api-client/src/base.ts
+++ b/console/packages/api-client/src/base.ts
@ -18,7 +18,7 @@ import type { Configuration } from "./configuration";
 import type { AxiosPromise, AxiosInstance, AxiosRequestConfig } from "axios";
 import globalAxios from "axios";

-export const BASE_PATH = "http://127.0.0.1:8090".replace(/\/+$/, "");
+export const BASE_PATH = "http://localhost:8090".replace(/\/+$/, "");

 /**
 *
--- a/console/packages/api-client/src/models/index.ts
+++ b/console/packages/api-client/src/models/index.ts
@ -86,6 +86,7 @@ export * from "./post-list";
 export * from "./post-request";
 export * from "./post-spec";
 export * from "./post-status";
+export * from "./public-key-response";
 export * from "./ref";
 export * from "./reply";
 export * from "./reply-list";
--- a/console/packages/api-client/src/models/public-key-response.ts
+++ b/console/packages/api-client/src/models/public-key-response.ts
@ -0,0 +1,27 @@
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * Halo Next API
+ * No description provided (generated by Openapi Generator https://github.com/openapitools/openapi-generator)
+ *
+ * The version of the OpenAPI document: 2.0.0
+ *
+ *
+ * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
+ * https://openapi-generator.tech
+ * Do not edit the class manually.
+ */
+
+/**
+ *
+ * @export
+ * @interface PublicKeyResponse
+ */
+export interface PublicKeyResponse {
+  /**
+   *
+   * @type {string}
+   * @memberof PublicKeyResponse
+   */
+  base64Format?: string;
+}
--- a/console/pnpm-lock.yaml
+++ b/console/pnpm-lock.yaml
@ -68,6 +68,7 @@ importers:
      fuse.js: ^6.6.2
      husky: ^8.0.2
      jsdom: ^20.0.3
+      jsencrypt: ^3.3.2
      lint-staged: ^13.1.0
      lodash.clonedeep: ^4.5.0
      lodash.debounce: ^4.0.8
@ -139,6 +140,7 @@ importers:
      fastq: 1.15.0
      floating-vue: 2.0.0-beta.20_vue@3.2.45
      fuse.js: 6.6.2
+      jsencrypt: 3.3.2
      lodash.clonedeep: 4.5.0
      lodash.debounce: 4.0.8
      lodash.isequal: 4.5.0
@ -4616,7 +4618,7 @@ packages:
  /axios/0.26.1:
    resolution: {integrity: sha512-fPwcX4EvnSHuInCMItEhAGnaSEXRBjtzh9fOtsE6E1G6p7vl7edEeZe11QHf18+6+9gR5PbKV/sGKNaD8YaMeA==}
    dependencies:
-      follow-redirects: 1.15.2
+      follow-redirects: 1.15.2_debug@4.3.2
    transitivePeerDependencies:
      - debug
    dev: true
@ -4624,7 +4626,7 @@ packages:
  /axios/0.27.2:
    resolution: {integrity: sha512-t+yRIyySRTp/wua5xEr+z1q60QmLq8ABsS5O9Me1AsE5dfKqgnCFzwiCZZ/cGNd1lq4/7akDWMxdhVlucjmnOQ==}
    dependencies:
-      follow-redirects: 1.15.2
+      follow-redirects: 1.15.2_debug@4.3.2
      form-data: 4.0.0
    transitivePeerDependencies:
      - debug
@ -5431,7 +5433,6 @@ packages:
        optional: true
    dependencies:
      ms: 2.1.2
-    dev: true

  /debug/4.3.4:
    resolution: {integrity: sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==}
@ -6669,15 +6670,6 @@ packages:
      vue-resize: 2.0.0-alpha.1_vue@3.2.45
    dev: false

-  /follow-redirects/1.15.2:
-    resolution: {integrity: sha512-VQLG33o04KaQ8uYi2tVNbdrWp1QWxNNea+nmIB4EVM28v0hmP17z7aG1+wAkNzVq4KeXTq3221ye5qTJP91JwA==}
-    engines: {node: '>=4.0'}
-    peerDependencies:
-      debug: '*'
-    peerDependenciesMeta:
-      debug:
-        optional: true
-
  /follow-redirects/1.15.2_debug@4.3.2:
    resolution: {integrity: sha512-VQLG33o04KaQ8uYi2tVNbdrWp1QWxNNea+nmIB4EVM28v0hmP17z7aG1+wAkNzVq4KeXTq3221ye5qTJP91JwA==}
    engines: {node: '>=4.0'}
@ -6688,7 +6680,6 @@ packages:
        optional: true
    dependencies:
      debug: 4.3.2
-    dev: true

  /foreground-child/2.0.0:
    resolution: {integrity: sha512-dCIq9FpEcyQyXKCkyzmlPTFNgrCzPudOe+mhvJU5zAtlBnGVy2yKxtfsxK2tQBThwq225jcvBjpw1Gr40uzZCA==}
@ -7671,6 +7662,10 @@ packages:
      - utf-8-validate
    dev: true

+  /jsencrypt/3.3.2:
+    resolution: {integrity: sha512-arQR1R1ESGdAxY7ZheWr12wCaF2yF47v5qpB76TtV64H1pyGudk9Hvw8Y9tb/FiTIaaTRUyaSnm5T/Y53Ghm/A==}
+    dev: false
+
  /jsesc/0.5.0:
    resolution: {integrity: sha512-uZz5UnB7u4T9LvwmFqXii7pZSouaRPorGs5who1Ip7VO0wxanFvBL7GkM6dTHlgX+jhBApRetaWpnDabOeTcnA==}
    hasBin: true
@ -8236,7 +8231,6 @@ packages:

  /ms/2.1.2:
    resolution: {integrity: sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==}
-    dev: true

  /ms/2.1.3:
    resolution: {integrity: sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==}
--- a/console/src/components/login/LoginForm.vue
+++ b/console/src/components/login/LoginForm.vue
@ -8,6 +8,8 @@ import { Toast, VButton } from "@halo-dev/components";
 import { onMounted, ref } from "vue";
 import qs from "qs";
 import { submitForm } from "@formkit/core";
+import { JSEncrypt } from "jsencrypt";
+import { apiClient } from "@/utils/api-client";

 const emit = defineEmits<{
  (event: "succeed"): void;
@ -39,9 +41,17 @@ const handleLogin = async () => {
  try {
    loading.value = true;

+    const { data: publicKey } = await apiClient.login.getPublicKey();
+
+    const encrypt = new JSEncrypt();
+    encrypt.setPublicKey(publicKey.base64Format as string);
+
    await axios.post(
      `${import.meta.env.VITE_API_URL}/login`,
-      qs.stringify(loginForm.value),
+      qs.stringify({
+        ...loginForm.value,
+        password: encrypt.encrypt(loginForm.value.password),
+      }),
      {
        withCredentials: true,
        headers: {
@ -66,7 +76,7 @@ const handleLogin = async () => {

      if (e.response?.status === 403) {
        Toast.warning("CSRF Token 失效，请重新尝试", { duration: 5000 });
-        handleGenerateToken();
+        await handleGenerateToken();
        return;
      }

--- a/console/src/utils/api-client.ts
+++ b/console/src/utils/api-client.ts
@ -32,6 +32,7 @@ import {
  V1alpha1SettingApi,
  V1alpha1UserApi,
  V1alpha1AnnotationSettingApi,
+  LoginApi,
 } from "@halo-dev/api-client";
 import type { AxiosError, AxiosInstance } from "axios";
 import axios from "axios";
@ -184,6 +185,7 @@ function setupApiClient(axios: AxiosInstance) {
      baseURL,
      axios
    ),
+    login: new LoginApi(undefined, baseURL, axios),
    indices: new ApiConsoleHaloRunV1alpha1IndicesApi(undefined, baseURL, axios),
  };
 }
--- a/src/main/java/run/halo/app/config/SwaggerConfig.java
+++ b/src/main/java/run/halo/app/config/SwaggerConfig.java
@ -80,7 +80,7 @@ public class SwaggerConfig {
        return GroupedOpenApi.builder()
            .group("all-api")
            .displayName("All APIs")
-            .pathsToMatch("/api/**", "/apis/**")
+            .pathsToMatch("/api/**", "/apis/**", "/login/**")
            .build();
    }

--- a/src/main/java/run/halo/app/config/WebServerSecurityConfig.java
+++ b/src/main/java/run/halo/app/config/WebServerSecurityConfig.java
@ -17,7 +17,6 @@ import org.springframework.http.MediaType;
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
 import org.springframework.security.config.web.server.ServerHttpSecurity;
 import org.springframework.security.core.authority.AuthorityUtils;
-import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
 import org.springframework.security.crypto.factory.PasswordEncoderFactories;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.server.SecurityWebFilterChain;
@ -25,6 +24,8 @@ import org.springframework.security.web.server.context.ServerSecurityContextRepo
 import org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository;
 import org.springframework.security.web.server.util.matcher.AndServerWebExchangeMatcher;
 import org.springframework.security.web.server.util.matcher.MediaTypeServerWebExchangeMatcher;
+import org.springframework.web.reactive.function.server.RouterFunction;
+import org.springframework.web.reactive.function.server.ServerResponse;
 import run.halo.app.core.extension.service.RoleService;
 import run.halo.app.core.extension.service.UserService;
 import run.halo.app.extension.ReactiveExtensionClient;
@ -33,6 +34,10 @@ import run.halo.app.infra.properties.HaloProperties;
 import run.halo.app.security.DefaultUserDetailService;
 import run.halo.app.security.SuperAdminInitializer;
 import run.halo.app.security.authentication.SecurityConfigurer;
+import run.halo.app.security.authentication.login.CryptoService;
+import run.halo.app.security.authentication.login.PublicKeyRouteBuilder;
+import run.halo.app.security.authentication.login.RsaKeyScheduledGenerator;
+import run.halo.app.security.authentication.login.impl.RsaKeyService;
 import run.halo.app.security.authorization.RequestInfoAuthorizationManager;

 /**
@ -52,7 +57,7 @@ public class WebServerSecurityConfig {
        ServerSecurityContextRepository securityContextRepository) {

        http.securityMatcher(
-                pathMatchers("/api/**", "/apis/**", "/login", "/logout", "/actuator/**"))
+                pathMatchers("/api/**", "/apis/**", "/login/**", "/logout", "/actuator/**"))
            .authorizeExchange().anyExchange()
            .access(new RequestInfoAuthorizationManager(roleService)).and()
            .anonymous(spec -> {
@ -98,7 +103,7 @@ public class WebServerSecurityConfig {
    }

    @Bean
-    ReactiveUserDetailsService userDetailsService(UserService userService,
+    DefaultUserDetailService userDetailsService(UserService userService,
        RoleService roleService) {
        return new DefaultUserDetailService(userService, roleService);
    }
@ -117,4 +122,19 @@ public class WebServerSecurityConfig {
        return new SuperAdminInitializer(client, passwordEncoder(),
            halo.getSecurity().getInitializer());
    }
+
+    @Bean
+    RouterFunction<ServerResponse> publicKeyRoute(CryptoService cryptoService) {
+        return new PublicKeyRouteBuilder(cryptoService).build();
+    }
+
+    @Bean
+    CryptoService cryptoService(HaloProperties haloProperties) {
+        return new RsaKeyService(haloProperties.getWorkDir().resolve("keys"));
+    }
+
+    @Bean
+    RsaKeyScheduledGenerator rsaKeyScheduledGenerator(CryptoService cryptoService) {
+        return new RsaKeyScheduledGenerator(cryptoService);
+    }
 }
--- a/src/main/java/run/halo/app/security/authentication/formlogin/FormLoginConfigurer.java
+++ b/src/main/java/run/halo/app/security/authentication/formlogin/FormLoginConfigurer.java
@ -1,103 +0,0 @@
-package run.halo.app.security.authentication.formlogin;
-
-import static run.halo.app.security.authentication.WebExchangeMatchers.ignoringMediaTypeAll;
-
-import java.util.Map;
-import org.springframework.http.HttpStatus;
-import org.springframework.http.MediaType;
-import org.springframework.security.config.web.server.ServerHttpSecurity;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.CredentialsContainer;
-import org.springframework.security.web.server.WebFilterExchange;
-import org.springframework.security.web.server.authentication.RedirectServerAuthenticationFailureHandler;
-import org.springframework.security.web.server.authentication.RedirectServerAuthenticationSuccessHandler;
-import org.springframework.security.web.server.authentication.ServerAuthenticationFailureHandler;
-import org.springframework.security.web.server.authentication.ServerAuthenticationSuccessHandler;
-import org.springframework.stereotype.Component;
-import org.springframework.web.reactive.function.server.ServerResponse;
-import reactor.core.publisher.Mono;
-import run.halo.app.security.authentication.SecurityConfigurer;
-
-@Component
-public class FormLoginConfigurer implements SecurityConfigurer {
-
-    private final ServerResponse.Context context;
-
-    public FormLoginConfigurer(ServerResponse.Context context) {
-        this.context = context;
-    }
-
-    @Override
-    public void configure(ServerHttpSecurity http) {
-        http.formLogin()
-            .authenticationSuccessHandler(new FormLoginSuccessHandler(context))
-            .authenticationFailureHandler(new FormLoginFailureHandler(context))
-        ;
-    }
-
-    public static class FormLoginSuccessHandler implements ServerAuthenticationSuccessHandler {
-
-        private final ServerResponse.Context context;
-
-        private final ServerAuthenticationSuccessHandler defaultHandler =
-            new RedirectServerAuthenticationSuccessHandler("/console/");
-
-        public FormLoginSuccessHandler(ServerResponse.Context context) {
-            this.context = context;
-        }
-
-        @Override
-        public Mono<Void> onAuthenticationSuccess(WebFilterExchange webFilterExchange,
-            Authentication authentication) {
-            return ignoringMediaTypeAll(MediaType.APPLICATION_JSON)
-                .matches(webFilterExchange.getExchange())
-                .flatMap(matchResult -> {
-                    if (matchResult.isMatch()) {
-                        var principal = authentication.getPrincipal();
-                        if (principal instanceof CredentialsContainer credentialsContainer) {
-                            credentialsContainer.eraseCredentials();
-                        }
-                        return ServerResponse.ok()
-                            .contentType(MediaType.APPLICATION_JSON)
-                            .bodyValue(principal)
-                            .flatMap(serverResponse ->
-                                serverResponse.writeTo(webFilterExchange.getExchange(), context));
-                    }
-                    return defaultHandler.onAuthenticationSuccess(webFilterExchange,
-                        authentication);
-                });
-        }
-    }
-
-    public static class FormLoginFailureHandler implements ServerAuthenticationFailureHandler {
-
-        private final ServerAuthenticationFailureHandler defaultHandler =
-            new RedirectServerAuthenticationFailureHandler("/console?error#/login");
-        private final ServerResponse.Context context;
-
-        public FormLoginFailureHandler(ServerResponse.Context context) {
-            this.context = context;
-        }
-
-        @Override
-        public Mono<Void> onAuthenticationFailure(WebFilterExchange webFilterExchange,
-            AuthenticationException exception) {
-            return ignoringMediaTypeAll(MediaType.APPLICATION_JSON).matches(
-                    webFilterExchange.getExchange())
-                .flatMap(matchResult -> {
-                    if (matchResult.isMatch()) {
-                        return ServerResponse.status(HttpStatus.UNAUTHORIZED)
-                            .contentType(MediaType.APPLICATION_JSON)
-                            .bodyValue(Map.of(
-                                "error", exception.getLocalizedMessage()
-                            ))
-                            .flatMap(serverResponse -> serverResponse.writeTo(
-                                webFilterExchange.getExchange(), context));
-                    }
-                    return defaultHandler.onAuthenticationFailure(webFilterExchange, exception);
-                });
-        }
-
-    }
-}
--- a/src/main/java/run/halo/app/security/authentication/login/CryptoService.java
+++ b/src/main/java/run/halo/app/security/authentication/login/CryptoService.java
@ -0,0 +1,27 @@
+package run.halo.app.security.authentication.login;
+
+import reactor.core.publisher.Mono;
+
+public interface CryptoService {
+
+    /**
+     * Generates key pair.
+     */
+    Mono<Void> generateKeys();
+
+    /**
+     * Decrypts message with Base64 format.
+     *
+     * @param encryptedMessage is a byte array containing encrypted message.
+     * @return decrypted message.
+     */
+    Mono<byte[]> decrypt(byte[] encryptedMessage);
+
+    /**
+     * Reads public key.
+     *
+     * @return byte array of public key
+     */
+    Mono<byte[]> readPublicKey();
+
+}
--- a/src/main/java/run/halo/app/security/authentication/login/InvalidEncryptedMessageException.java
+++ b/src/main/java/run/halo/app/security/authentication/login/InvalidEncryptedMessageException.java
@ -0,0 +1,17 @@
+package run.halo.app.security.authentication.login;
+
+/**
+ * InvalidEncryptedMessageException indicates the encrypted message is invalid.
+ *
+ * @author johnniang
+ */
+public class InvalidEncryptedMessageException extends RuntimeException {
+
+    public InvalidEncryptedMessageException(String message) {
+        super(message);
+    }
+
+    public InvalidEncryptedMessageException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}
--- a/src/main/java/run/halo/app/security/authentication/login/LoginAuthenticationConverter.java
+++ b/src/main/java/run/halo/app/security/authentication/login/LoginAuthenticationConverter.java
@ -0,0 +1,42 @@
+package run.halo.app.security.authentication.login;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+
+import java.util.Base64;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.server.authentication.ServerFormLoginAuthenticationConverter;
+import org.springframework.web.server.ServerWebExchange;
+import reactor.core.publisher.Mono;
+
+public class LoginAuthenticationConverter extends ServerFormLoginAuthenticationConverter {
+
+    private final CryptoService cryptoService;
+
+    public LoginAuthenticationConverter(CryptoService cryptoService) {
+        this.cryptoService = cryptoService;
+    }
+
+    @Override
+    public Mono<Authentication> convert(ServerWebExchange exchange) {
+        return super.convert(exchange)
+            // validate the password
+            .flatMap(token -> {
+                var credentials = (String) token.getCredentials();
+                byte[] credentialsBytes;
+                try {
+                    credentialsBytes = Base64.getDecoder().decode(credentials);
+                } catch (IllegalArgumentException e) {
+                    // the credentials are not in valid Base64 scheme
+                    return Mono.error(new BadCredentialsException("Invalid Base64 scheme."));
+                }
+                return cryptoService.decrypt(credentialsBytes)
+                    .onErrorMap(InvalidEncryptedMessageException.class,
+                        error -> new BadCredentialsException("Invalid credential.", error))
+                    .map(decryptedCredentials -> new UsernamePasswordAuthenticationToken(
+                        token.getPrincipal(),
+                        new String(decryptedCredentials, UTF_8)));
+            });
+    }
+}
--- a/src/main/java/run/halo/app/security/authentication/login/LoginConfigurer.java
+++ b/src/main/java/run/halo/app/security/authentication/login/LoginConfigurer.java
@ -0,0 +1,149 @@
+package run.halo.app.security.authentication.login;
+
+import static run.halo.app.security.authentication.WebExchangeMatchers.ignoringMediaTypeAll;
+
+import io.micrometer.observation.ObservationRegistry;
+import java.util.Map;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
+import org.springframework.security.authentication.ObservationReactiveAuthenticationManager;
+import org.springframework.security.authentication.ReactiveAuthenticationManager;
+import org.springframework.security.authentication.UserDetailsRepositoryReactiveAuthenticationManager;
+import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
+import org.springframework.security.config.web.server.ServerHttpSecurity;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.CredentialsContainer;
+import org.springframework.security.core.userdetails.ReactiveUserDetailsPasswordService;
+import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.server.WebFilterExchange;
+import org.springframework.security.web.server.authentication.AuthenticationWebFilter;
+import org.springframework.security.web.server.authentication.RedirectServerAuthenticationFailureHandler;
+import org.springframework.security.web.server.authentication.RedirectServerAuthenticationSuccessHandler;
+import org.springframework.security.web.server.authentication.ServerAuthenticationFailureHandler;
+import org.springframework.security.web.server.authentication.ServerAuthenticationSuccessHandler;
+import org.springframework.security.web.server.context.ServerSecurityContextRepository;
+import org.springframework.security.web.server.ui.LogoutPageGeneratingWebFilter;
+import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
+import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;
+import org.springframework.stereotype.Component;
+import org.springframework.web.reactive.function.server.ServerResponse;
+import reactor.core.publisher.Mono;
+import run.halo.app.security.authentication.SecurityConfigurer;
+
+@Component
+public class LoginConfigurer implements SecurityConfigurer {
+
+    private final ServerResponse.Context context;
+
+    private final ObservationRegistry observationRegistry;
+
+    private final ReactiveUserDetailsService userDetailsService;
+
+    private final ReactiveUserDetailsPasswordService passwordService;
+
+    private final PasswordEncoder passwordEncoder;
+
+    private final ServerSecurityContextRepository securityContextRepository;
+
+    private final CryptoService cryptoService;
+
+    public LoginConfigurer(ServerResponse.Context context,
+        ObservationRegistry observationRegistry,
+        ReactiveUserDetailsService userDetailsService,
+        ReactiveUserDetailsPasswordService passwordService,
+        PasswordEncoder passwordEncoder,
+        ServerSecurityContextRepository securityContextRepository,
+        CryptoService cryptoService) {
+        this.context = context;
+        this.observationRegistry = observationRegistry;
+        this.userDetailsService = userDetailsService;
+        this.passwordService = passwordService;
+        this.passwordEncoder = passwordEncoder;
+        this.securityContextRepository = securityContextRepository;
+        this.cryptoService = cryptoService;
+    }
+
+    @Override
+    public void configure(ServerHttpSecurity http) {
+        // We disable the form login because we will customize the login by ourselves.
+        // See https://github.com/spring-projects/spring-security/issues/5361 for more.
+        http.formLogin()
+            .disable();
+
+        var requiresMatcher = ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, "/login");
+
+        var filter = new AuthenticationWebFilter(authenticationManager());
+        filter.setRequiresAuthenticationMatcher(requiresMatcher);
+        filter.setAuthenticationFailureHandler(new LoginFailureHandler());
+        filter.setAuthenticationSuccessHandler(new LoginSuccessHandler());
+        filter.setServerAuthenticationConverter(new LoginAuthenticationConverter(cryptoService));
+        filter.setSecurityContextRepository(securityContextRepository);
+
+        http.addFilterAt(filter, SecurityWebFiltersOrder.FORM_LOGIN);
+        http.addFilterAt(new LogoutPageGeneratingWebFilter(),
+            SecurityWebFiltersOrder.LOGOUT_PAGE_GENERATING);
+    }
+
+    ReactiveAuthenticationManager authenticationManager() {
+        var manager = new UserDetailsRepositoryReactiveAuthenticationManager(userDetailsService);
+        manager.setPasswordEncoder(passwordEncoder);
+        manager.setUserDetailsPasswordService(passwordService);
+        return new ObservationReactiveAuthenticationManager(observationRegistry, manager);
+    }
+
+    public class LoginSuccessHandler implements ServerAuthenticationSuccessHandler {
+
+        private final ServerAuthenticationSuccessHandler defaultHandler =
+            new RedirectServerAuthenticationSuccessHandler("/console/");
+
+        @Override
+        public Mono<Void> onAuthenticationSuccess(WebFilterExchange webFilterExchange,
+            Authentication authentication) {
+            return ignoringMediaTypeAll(MediaType.APPLICATION_JSON)
+                .matches(webFilterExchange.getExchange())
+                .filter(ServerWebExchangeMatcher.MatchResult::isMatch)
+                .flatMap(matchResult -> {
+                    var principal = authentication.getPrincipal();
+                    if (principal instanceof CredentialsContainer credentialsContainer) {
+                        credentialsContainer.eraseCredentials();
+                    }
+
+                    return ServerResponse.ok()
+                        .contentType(MediaType.APPLICATION_JSON)
+                        .bodyValue(principal)
+                        .flatMap(serverResponse ->
+                            serverResponse.writeTo(webFilterExchange.getExchange(), context));
+                })
+                .switchIfEmpty(
+                    defaultHandler.onAuthenticationSuccess(webFilterExchange, authentication)
+                );
+        }
+    }
+
+    public class LoginFailureHandler implements ServerAuthenticationFailureHandler {
+
+        private final ServerAuthenticationFailureHandler defaultHandler =
+            new RedirectServerAuthenticationFailureHandler("/console?error#/login");
+
+        @Override
+        public Mono<Void> onAuthenticationFailure(WebFilterExchange webFilterExchange,
+            AuthenticationException exception) {
+            return ignoringMediaTypeAll(MediaType.APPLICATION_JSON).matches(
+                    webFilterExchange.getExchange())
+                .filter(ServerWebExchangeMatcher.MatchResult::isMatch)
+                .flatMap(matchResult -> ServerResponse.status(HttpStatus.UNAUTHORIZED)
+                    .contentType(MediaType.APPLICATION_JSON)
+                    .bodyValue(Map.of(
+                        "error", exception.getLocalizedMessage()
+                    ))
+                    .flatMap(serverResponse -> serverResponse.writeTo(
+                        webFilterExchange.getExchange(), context)))
+                .switchIfEmpty(
+                    defaultHandler.onAuthenticationFailure(webFilterExchange, exception));
+        }
+
+    }
+}
--- a/src/main/java/run/halo/app/security/authentication/login/PublicKeyRouteBuilder.java
+++ b/src/main/java/run/halo/app/security/authentication/login/PublicKeyRouteBuilder.java
@ -0,0 +1,46 @@
+package run.halo.app.security.authentication.login;
+
+import java.util.Base64;
+import lombok.Data;
+import org.springdoc.core.fn.builders.apiresponse.Builder;
+import org.springdoc.webflux.core.fn.SpringdocRouteBuilder;
+import org.springframework.web.reactive.function.server.RouterFunction;
+import org.springframework.web.reactive.function.server.ServerResponse;
+
+public class PublicKeyRouteBuilder {
+
+    private final CryptoService cryptoService;
+
+    public PublicKeyRouteBuilder(CryptoService cryptoService) {
+        this.cryptoService = cryptoService;
+    }
+
+    /**
+     * Builds public key router function.
+     *
+     * @return public key router function.
+     */
+    public RouterFunction<ServerResponse> build() {
+        return SpringdocRouteBuilder.route()
+            .GET("/login/public-key", request -> cryptoService.readPublicKey()
+                    .flatMap(publicKey -> {
+                        var base64Format = Base64.getEncoder().encodeToString(publicKey);
+                        var response = new PublicKeyResponse();
+                        response.setBase64Format(base64Format);
+                        return ServerResponse.ok()
+                            .bodyValue(response);
+                    }),
+                builder -> builder.operationId("GetPublicKey")
+                    .description("Read public key for encrypting password.")
+                    .tag("Login")
+                    .response(Builder.responseBuilder()
+                        .implementation(PublicKeyResponse.class))).build();
+    }
+
+    @Data
+    public static class PublicKeyResponse {
+
+        private String base64Format;
+
+    }
+}
--- a/src/main/java/run/halo/app/security/authentication/login/RsaKeyScheduledGenerator.java
+++ b/src/main/java/run/halo/app/security/authentication/login/RsaKeyScheduledGenerator.java
@ -0,0 +1,25 @@
+package run.halo.app.security.authentication.login;
+
+import java.util.concurrent.TimeUnit;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.scheduling.annotation.Scheduled;
+
+/**
+ * RsaKeyScheduledGenerator is responsible for periodically generating RSA key pair.
+ *
+ * @author johnniang
+ */
+@Slf4j
+public class RsaKeyScheduledGenerator {
+
+    private final CryptoService cryptoService;
+
+    public RsaKeyScheduledGenerator(CryptoService cryptoService) {
+        this.cryptoService = cryptoService;
+    }
+
+    @Scheduled(fixedDelay = 1, timeUnit = TimeUnit.DAYS)
+    void scheduleGeneration() {
+        cryptoService.generateKeys().block();
+    }
+}
--- a/src/main/java/run/halo/app/security/authentication/login/impl/RsaKeyService.java
+++ b/src/main/java/run/halo/app/security/authentication/login/impl/RsaKeyService.java
@ -0,0 +1,136 @@
+package run.halo.app.security.authentication.login.impl;
+
+import static java.nio.file.StandardOpenOption.TRUNCATE_EXISTING;
+import static java.nio.file.attribute.PosixFilePermission.OWNER_READ;
+import static java.nio.file.attribute.PosixFilePermission.OWNER_WRITE;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.attribute.PosixFilePermissions;
+import java.security.InvalidKeyException;
+import java.security.KeyFactory;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.util.Set;
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.core.io.buffer.DataBuffer;
+import org.springframework.core.io.buffer.DataBufferUtils;
+import org.springframework.core.io.buffer.DefaultDataBufferFactory;
+import org.springframework.util.StopWatch;
+import reactor.core.publisher.Mono;
+import reactor.core.scheduler.Schedulers;
+import run.halo.app.security.authentication.login.CryptoService;
+import run.halo.app.security.authentication.login.InvalidEncryptedMessageException;
+
+@Slf4j
+public class RsaKeyService implements CryptoService {
+
+    public static final String ALGORITHM = "RSA";
+
+    private final Path privateKeyPath;
+
+    private final Path publicKeyPath;
+
+    public RsaKeyService(Path dir) {
+        privateKeyPath = dir.resolve("id_rsa");
+        publicKeyPath = dir.resolve("id_rsa.pub");
+    }
+
+    @Override
+    public Mono<Void> generateKeys() {
+        try {
+            log.info("Generating RSA keys...");
+            var stopWatch = new StopWatch("GenerateRSAKeys");
+            stopWatch.start();
+            var generator = KeyPairGenerator.getInstance(ALGORITHM);
+            generator.initialize(2048);
+            var keyPair = generator.generateKeyPair();
+            stopWatch.stop();
+            log.info("Generated RSA keys. Usage: {} ms.", stopWatch.getTotalTimeMillis());
+
+            var dataBufferFactory = DefaultDataBufferFactory.sharedInstance;
+            var privateKeyDataBuffer = Mono.<DataBuffer>fromSupplier(() ->
+                dataBufferFactory.wrap(keyPair.getPrivate().getEncoded()));
+            var publicKeyDataBuffer = Mono.<DataBuffer>fromSupplier(() ->
+                dataBufferFactory.wrap(keyPair.getPublic().getEncoded()));
+
+            var writePrivateKey =
+                DataBufferUtils.write(privateKeyDataBuffer, privateKeyPath, TRUNCATE_EXISTING);
+            var writePublicKey =
+                DataBufferUtils.write(publicKeyDataBuffer, publicKeyPath, TRUNCATE_EXISTING);
+
+            return Mono.when(
+                    createFileIfNotExist(privateKeyPath),
+                    createFileIfNotExist(publicKeyPath))
+                .then(Mono.when(
+                    writePrivateKey,
+                    writePublicKey));
+        } catch (NoSuchAlgorithmException e) {
+            return Mono.error(e);
+        }
+    }
+
+    @Override
+    public Mono<byte[]> decrypt(byte[] encryptedMessage) {
+        return readKey(privateKeyPath)
+            .map(privateKeyBytes -> {
+                var keySpec = new PKCS8EncodedKeySpec(privateKeyBytes);
+                try {
+                    var keyFactory = KeyFactory.getInstance(ALGORITHM);
+                    var privateKey = keyFactory.generatePrivate(keySpec);
+                    var cipher = Cipher.getInstance(ALGORITHM);
+                    cipher.init(Cipher.DECRYPT_MODE, privateKey);
+                    return cipher.doFinal(encryptedMessage);
+                } catch (NoSuchAlgorithmException | InvalidKeySpecException
+                         | NoSuchPaddingException | InvalidKeyException e) {
+                    throw new RuntimeException("Failed to read private key or the key was invalid.",
+                        e);
+                } catch (IllegalBlockSizeException | BadPaddingException e) {
+                    // invalid encrypted message
+                    throw new InvalidEncryptedMessageException("Invalid encrypted message.", e);
+                }
+            });
+    }
+
+    @Override
+    public Mono<byte[]> readPublicKey() {
+        return readKey(publicKeyPath);
+    }
+
+    private Mono<byte[]> readKey(Path keyPath) {
+        var content =
+            DataBufferUtils.read(keyPath, DefaultDataBufferFactory.sharedInstance, 4096);
+
+        return DataBufferUtils.join(content)
+            .map(dataBuffer -> {
+                // the byte count won't be too large
+                var byteBuffer = ByteBuffer.allocate(dataBuffer.readableByteCount());
+                dataBuffer.toByteBuffer(byteBuffer);
+                return byteBuffer.array();
+            });
+    }
+
+    Mono<Void> createFileIfNotExist(Path path) {
+        if (Files.notExists(path)) {
+            return Mono.fromRunnable(() -> {
+                try {
+                    Files.createDirectories(path.getParent());
+                    Files.createFile(path,
+                        PosixFilePermissions.asFileAttribute(Set.of(OWNER_READ, OWNER_WRITE)));
+                } catch (IOException e) {
+                    // ignore the error
+                    log.warn("Failed to create file for {}", path, e);
+                }
+            }).subscribeOn(Schedulers.boundedElastic()).then();
+        }
+        return Mono.empty();
+    }
+}
--- a/src/main/resources/extensions/role-template-anonymous.yaml
+++ b/src/main/resources/extensions/role-template-anonymous.yaml
@ -17,5 +17,5 @@ rules:
    verbs: [ "*" ]
  - nonResourceURLs: [ "/apis/api.halo.run/v1alpha1/trackers/*" ]
    verbs: [ "create" ]
-  - nonResourceURLs: [ "/actuator/globalinfo", "/actuator/health", "/actuator/health/*"]
+  - nonResourceURLs: [ "/actuator/globalinfo", "/actuator/health", "/actuator/health/*", "/login/public-key"]
    verbs: [ "get" ]
--- a/src/test/java/run/halo/app/security/authentication/login/LoginAuthenticationConverterTest.java
+++ b/src/test/java/run/halo/app/security/authentication/login/LoginAuthenticationConverterTest.java
@ -0,0 +1,90 @@
+package run.halo.app.security.authentication.login;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.mockito.Mockito.lenient;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import java.util.Base64;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.util.MultiValueMap;
+import org.springframework.web.server.ServerWebExchange;
+import reactor.core.publisher.Mono;
+import reactor.test.StepVerifier;
+
+@ExtendWith(MockitoExtension.class)
+class LoginAuthenticationConverterTest {
+
+    @Mock
+    ServerWebExchange exchange;
+
+    MultiValueMap<String, String> formData;
+
+    @InjectMocks
+    LoginAuthenticationConverter converter;
+
+    @Mock
+    CryptoService cryptoService;
+
+    @BeforeEach
+    void setUp() {
+        formData = new LinkedMultiValueMap<>();
+        lenient().when(exchange.getFormData()).thenReturn(Mono.just(formData));
+    }
+
+    @Test
+    void applyUsernameAndPasswordThenCreatesTokenSuccess() {
+        var username = "username";
+        var password = "password";
+        var decryptedPassword = "decrypted password";
+
+        formData.add("username", username);
+        formData.add("password", Base64.getEncoder().encodeToString(password.getBytes()));
+
+        when(cryptoService.decrypt(password.getBytes()))
+            .thenReturn(Mono.just(decryptedPassword.getBytes()));
+        StepVerifier.create(converter.convert(exchange))
+            .assertNext(token -> {
+                assertEquals(username, token.getPrincipal());
+                assertEquals(decryptedPassword, token.getCredentials());
+            })
+            .verifyComplete();
+
+        verify(cryptoService).decrypt(password.getBytes());
+    }
+
+    @Test
+    void applyPasswordWithoutBase64FormatThenBadCredentialsException() {
+        var username = "username";
+        var password = "+invalid-base64-format-password";
+
+        formData.add("username", username);
+        formData.add("password", password);
+
+        StepVerifier.create(converter.convert(exchange))
+            .verifyError(BadCredentialsException.class);
+    }
+
+    @Test
+    void applyUsernameAndInvalidPasswordThenBadCredentialsException() {
+        var username = "username";
+        var password = "password";
+
+        formData.add("username", username);
+        formData.add("password", Base64.getEncoder().encodeToString(password.getBytes()));
+
+        when(cryptoService.decrypt(password.getBytes()))
+            .thenReturn(Mono.error(() -> new InvalidEncryptedMessageException("invalid message")));
+        StepVerifier.create(converter.convert(exchange))
+                .verifyError(BadCredentialsException.class);
+        verify(cryptoService).decrypt(password.getBytes());
+    }
+
+}
--- a/src/test/java/run/halo/app/security/authentication/login/PublicKeyRouteBuilderTest.java
+++ b/src/test/java/run/halo/app/security/authentication/login/PublicKeyRouteBuilderTest.java
@ -0,0 +1,51 @@
+package run.halo.app.security.authentication.login;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import java.util.Base64;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.test.web.reactive.server.WebTestClient;
+import reactor.core.publisher.Mono;
+
+@ExtendWith(MockitoExtension.class)
+class PublicKeyRouteBuilderTest {
+
+    WebTestClient webClient;
+
+    @Mock
+    CryptoService cryptoService;
+
+    @BeforeEach
+    void setUp() {
+        webClient = WebTestClient.bindToRouterFunction(
+            new PublicKeyRouteBuilder(cryptoService).build()
+        ).build();
+    }
+
+    @Test
+    void shouldReadPublicKey() {
+        var publicKeyStr = "public-key";
+        var encoder = Base64.getEncoder();
+        when(cryptoService.readPublicKey()).thenReturn(Mono.just(publicKeyStr.getBytes()));
+        webClient.get().uri("/login/public-key")
+            .exchange()
+            .expectStatus().isOk()
+            .expectBody(PublicKeyRouteBuilder.PublicKeyResponse.class)
+            .consumeWith(result -> {
+                var response = result.getResponseBody();
+                assertNotNull(response);
+                assertEquals(encoder.encodeToString(publicKeyStr.getBytes()),
+                    response.getBase64Format());
+            });
+
+        verify(cryptoService).readPublicKey();
+    }
+
+}
--- a/src/test/java/run/halo/app/security/authentication/login/impl/RsaKeyServiceTest.java
+++ b/src/test/java/run/halo/app/security/authentication/login/impl/RsaKeyServiceTest.java
@ -0,0 +1,111 @@
+package run.halo.app.security.authentication.login.impl;
+
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.security.InvalidKeyException;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.interfaces.RSAPrivateCrtKey;
+import java.security.interfaces.RSAPublicKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.security.spec.X509EncodedKeySpec;
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.junit.jupiter.api.io.TempDir;
+import org.mockito.junit.jupiter.MockitoExtension;
+import reactor.core.Exceptions;
+import reactor.test.StepVerifier;
+import run.halo.app.security.authentication.login.InvalidEncryptedMessageException;
+
+@ExtendWith(MockitoExtension.class)
+class RsaKeyServiceTest {
+
+    RsaKeyService service;
+
+    @TempDir
+    Path tempDir;
+
+    @BeforeEach
+    void setUp() {
+        service = new RsaKeyService(tempDir);
+    }
+
+    @Test
+    void shouldGenerateKeyPair()
+        throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
+        StepVerifier.create(service.generateKeys())
+            .verifyComplete();
+        // check the file
+        byte[] privKeyBytes = Files.readAllBytes(tempDir.resolve("id_rsa"));
+        byte[] pubKeyBytes = Files.readAllBytes(tempDir.resolve("id_rsa.pub"));
+
+        var pubKeySpec = new X509EncodedKeySpec(pubKeyBytes);
+        var privKeySpec = new PKCS8EncodedKeySpec(privKeyBytes);
+        var keyFactory = KeyFactory.getInstance(RsaKeyService.ALGORITHM);
+        var privKey = (RSAPrivateCrtKey) keyFactory.generatePrivate(privKeySpec);
+        var pubKey = (RSAPublicKey) keyFactory.generatePublic(pubKeySpec);
+        assertEquals(privKey.getModulus(), pubKey.getModulus());
+        assertEquals(privKey.getPublicExponent(), pubKey.getPublicExponent());
+    }
+
+    @Test
+    void shouldReadPublicKey() throws IOException {
+        StepVerifier.create(service.generateKeys())
+            .verifyComplete();
+
+        var realPubKeyBytes = Files.readAllBytes(tempDir.resolve("id_rsa.pub"));
+
+        StepVerifier.create(service.readPublicKey())
+            .assertNext(bytes -> assertArrayEquals(realPubKeyBytes, bytes))
+            .verifyComplete();
+    }
+
+    @Test
+    void shouldDecryptMessageCorrectly() {
+        StepVerifier.create(service.generateKeys())
+            .verifyComplete();
+
+        final String message = "halo";
+
+        var mono = service.readPublicKey()
+            .map(pubKeyBytes -> {
+                var pubKeySpec = new X509EncodedKeySpec(pubKeyBytes);
+                try {
+                    var keyFactory = KeyFactory.getInstance(RsaKeyService.ALGORITHM);
+                    var pubKey = keyFactory.generatePublic(pubKeySpec);
+                    var cipher = Cipher.getInstance(RsaKeyService.ALGORITHM);
+                    cipher.init(Cipher.ENCRYPT_MODE, pubKey);
+                    return cipher.doFinal(message.getBytes());
+                } catch (NoSuchAlgorithmException | InvalidKeySpecException
+                         | NoSuchPaddingException | InvalidKeyException | IllegalBlockSizeException
+                         | BadPaddingException e) {
+                    throw Exceptions.propagate(e);
+                }
+            })
+            .flatMap(service::decrypt)
+            .map(String::new);
+
+        StepVerifier.create(mono)
+            .expectNext(message)
+            .verifyComplete();
+    }
+
+    @Test
+    void shouldFailToDecryptMessage() {
+        StepVerifier.create(service.generateKeys())
+            .verifyComplete();
+
+        StepVerifier.create(service.decrypt("invalid-bytes".getBytes()))
+            .verifyError(InvalidEncryptedMessageException.class);
+    }
+}