diff options
author | Stefan Melmuk <[email protected]> | 2024-11-12 21:22:25 +0100 |
---|---|---|
committer | GitHub <[email protected]> | 2024-11-12 21:22:25 +0100 |
commit | adb21d5c1acfef9bd06d1ad9cdf3b916b38b201b (patch) | |
tree | cd3fcbee766b7a4d401c590c7d2ee35b8231554f | |
parent | e927b8aa5ec8f0352bfb2ff95a996a89389959ff (diff) | |
download | vaultwarden-adb21d5c1acfef9bd06d1ad9cdf3b916b38b201b.tar.gz vaultwarden-adb21d5c1acfef9bd06d1ad9cdf3b916b38b201b.zip |
fix password hint check (#5189)
* fix password hint check
don't show password hints if you have disabled the hints with
PASSWORD_HINTS_ALLOWED=false or if you have not configured mail and
opted into showing password hints
* update descriptions for pw hints options
-rw-r--r-- | .env.template | 7 | ||||
-rw-r--r-- | src/api/core/accounts.rs | 2 | ||||
-rw-r--r-- | src/config.rs | 8 |
3 files changed, 9 insertions, 8 deletions
diff --git a/.env.template b/.env.template index 5a8686d5..075689e9 100644 --- a/.env.template +++ b/.env.template @@ -280,12 +280,13 @@ ## The default for new users. If changed, it will be updated during login for existing users. # PASSWORD_ITERATIONS=600000 -## Controls whether users can set password hints. This setting applies globally to all users. +## Controls whether users can set or show password hints. This setting applies globally to all users. # PASSWORD_HINTS_ALLOWED=true ## Controls whether a password hint should be shown directly in the web page if -## SMTP service is not configured. Not recommended for publicly-accessible instances -## as this provides unauthenticated access to potentially sensitive data. +## SMTP service is not configured and password hints are allowed. +## Not recommended for publicly-accessible instances because this provides +## unauthenticated access to potentially sensitive data. # SHOW_PASSWORD_HINT=false ######################### diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs index 4e566bc9..7c3919ad 100644 --- a/src/api/core/accounts.rs +++ b/src/api/core/accounts.rs @@ -842,7 +842,7 @@ struct PasswordHintData { #[post("/accounts/password-hint", data = "<data>")] async fn password_hint(data: Json<PasswordHintData>, mut conn: DbConn) -> EmptyResult { - if !CONFIG.mail_enabled() || !CONFIG.show_password_hint() { + if !CONFIG.password_hints_allowed() || (!CONFIG.mail_enabled() && !CONFIG.show_password_hint()) { err!("This server is not configured to provide password hints."); } diff --git a/src/config.rs b/src/config.rs index 61a47b76..244499d0 100644 --- a/src/config.rs +++ b/src/config.rs @@ -497,11 +497,11 @@ make_config! { /// Password iterations |> Number of server-side passwords hashing iterations for the password hash. /// The default for new users. If changed, it will be updated during login for existing users. password_iterations: i32, true, def, 600_000; - /// Allow password hints |> Controls whether users can set password hints. This setting applies globally to all users. + /// Allow password hints |> Controls whether users can set or show password hints. This setting applies globally to all users. password_hints_allowed: bool, true, def, true; - /// Show password hint |> Controls whether a password hint should be shown directly in the web page - /// if SMTP service is not configured. Not recommended for publicly-accessible instances as this - /// provides unauthenticated access to potentially sensitive data. + /// Show password hint (Know the risks!) |> Controls whether a password hint should be shown directly in the web page + /// if SMTP service is not configured and password hints are allowed. Not recommended for publicly-accessible instances + /// because this provides unauthenticated access to potentially sensitive data. show_password_hint: bool, true, def, false; /// Admin token/Argon2 PHC |> The plain text token or Argon2 PHC string used to authenticate in this very same page. Changing it here will not deauthorize the current session! |