Exclude mru_token in user key hash

management/auth.py

@@ -4,7 +4,7 @@ from flask import make_response
 
 import utils
 from mailconfig import get_mail_password, get_mail_user_privileges
-from mfa import get_mfa_state, validate_auth_mfa
+from mfa import get_hash_mfa_state, validate_auth_mfa
 
 DEFAULT_KEY_PATH   = '/var/lib/mailinabox/api.key'
 DEFAULT_AUTH_REALM = 'Mail-in-a-Box Management Server'
@@ -147,7 +147,7 @@ class KeyAuthService:
 
 		# Add to the message the current MFA state, which is a list of MFA information.
 		# Turn it into a string stably.
-		msg += b" " + json.dumps(get_mfa_state(email, env), sort_keys=True).encode("utf8")
+		msg += b" " + json.dumps(get_hash_mfa_state(email, env), sort_keys=True).encode("utf8")
 
 		# Make the HMAC.
 		hash_key = self.key.encode('ascii')

management/mfa.py

@@ -22,11 +22,17 @@ def get_mfa_state(email, env):
 	]
 
 def get_public_mfa_state(email, env):
-	c = open_database(env)
-	c.execute('SELECT id, type, label FROM mfa WHERE user_id=?', (get_user_id(email, c),))
+	mfa_state = get_mfa_state(email, env)
 	return [
-		{ "id": r[0], "type": r[1], "label": r[2] }
-		for r in c.fetchall()
+		{ "id": s["id"], "type": s["type"], "label": s["label"] }
+		for s in mfa_state
+	]
+
+def get_hash_mfa_state(email, env):
+	mfa_state = get_mfa_state(email, env)
+	return [
+		{ "id": s["id"], "type": s["type"], "secret": s["secret"] }
+		for s in mfa_state
 	]
 
 def enable_mfa(email, type, secret, token, label, env):