Don't expose mru_token and secret for enabled mfas over HTTP

2026-04-01 21:27:22 +02:00 · 2020-09-29 19:46:02 +02:00
parent 00b3a3b0a9
commit be5032ffbe
3 changed files with 11 additions and 7 deletions
--- a/management/mfa.py
+++ b/management/mfa.py
@@ -21,6 +21,14 @@ def get_mfa_state(email, env):
 		for r in c.fetchall()
 	]

+def get_public_mfa_state(email, env):
+	c = open_database(env)
+	c.execute('SELECT id, type, label FROM mfa WHERE user_id=?', (get_user_id(email, c),))
+	return [
+		{ "id": r[0], "type": r[1], "label": r[2] }
+		for r in c.fetchall()
+	]
+
 def enable_mfa(email, type, secret, token, label, env):
 	if type == "totp":
 		validate_totp_secret(secret)