summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Melmuk <[email protected]>2024-11-12 21:22:25 +0100
committerGitHub <[email protected]>2024-11-12 21:22:25 +0100
commitadb21d5c1acfef9bd06d1ad9cdf3b916b38b201b (patch)
treecd3fcbee766b7a4d401c590c7d2ee35b8231554f
parente927b8aa5ec8f0352bfb2ff95a996a89389959ff (diff)
downloadvaultwarden-adb21d5c1acfef9bd06d1ad9cdf3b916b38b201b.tar.gz
vaultwarden-adb21d5c1acfef9bd06d1ad9cdf3b916b38b201b.zip
fix password hint check (#5189)
* fix password hint check don't show password hints if you have disabled the hints with PASSWORD_HINTS_ALLOWED=false or if you have not configured mail and opted into showing password hints * update descriptions for pw hints options
-rw-r--r--.env.template7
-rw-r--r--src/api/core/accounts.rs2
-rw-r--r--src/config.rs8
3 files changed, 9 insertions, 8 deletions
diff --git a/.env.template b/.env.template
index 5a8686d5..075689e9 100644
--- a/.env.template
+++ b/.env.template
@@ -280,12 +280,13 @@
## The default for new users. If changed, it will be updated during login for existing users.
# PASSWORD_ITERATIONS=600000
-## Controls whether users can set password hints. This setting applies globally to all users.
+## Controls whether users can set or show password hints. This setting applies globally to all users.
# PASSWORD_HINTS_ALLOWED=true
## Controls whether a password hint should be shown directly in the web page if
-## SMTP service is not configured. Not recommended for publicly-accessible instances
-## as this provides unauthenticated access to potentially sensitive data.
+## SMTP service is not configured and password hints are allowed.
+## Not recommended for publicly-accessible instances because this provides
+## unauthenticated access to potentially sensitive data.
# SHOW_PASSWORD_HINT=false
#########################
diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs
index 4e566bc9..7c3919ad 100644
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@@ -842,7 +842,7 @@ struct PasswordHintData {
#[post("/accounts/password-hint", data = "<data>")]
async fn password_hint(data: Json<PasswordHintData>, mut conn: DbConn) -> EmptyResult {
- if !CONFIG.mail_enabled() || !CONFIG.show_password_hint() {
+ if !CONFIG.password_hints_allowed() || (!CONFIG.mail_enabled() && !CONFIG.show_password_hint()) {
err!("This server is not configured to provide password hints.");
}
diff --git a/src/config.rs b/src/config.rs
index 61a47b76..244499d0 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -497,11 +497,11 @@ make_config! {
/// Password iterations |> Number of server-side passwords hashing iterations for the password hash.
/// The default for new users. If changed, it will be updated during login for existing users.
password_iterations: i32, true, def, 600_000;
- /// Allow password hints |> Controls whether users can set password hints. This setting applies globally to all users.
+ /// Allow password hints |> Controls whether users can set or show password hints. This setting applies globally to all users.
password_hints_allowed: bool, true, def, true;
- /// Show password hint |> Controls whether a password hint should be shown directly in the web page
- /// if SMTP service is not configured. Not recommended for publicly-accessible instances as this
- /// provides unauthenticated access to potentially sensitive data.
+ /// Show password hint (Know the risks!) |> Controls whether a password hint should be shown directly in the web page
+ /// if SMTP service is not configured and password hints are allowed. Not recommended for publicly-accessible instances
+ /// because this provides unauthenticated access to potentially sensitive data.
show_password_hint: bool, true, def, false;
/// Admin token/Argon2 PHC |> The plain text token or Argon2 PHC string used to authenticate in this very same page. Changing it here will not deauthorize the current session!