Don't expose mru_token and secret for enabled mfas over HTTP

api/mailinabox.yml

@@ -2637,10 +2637,6 @@ components:
               type: string
             type:
               type: string
-            secret:
-              type: string
-            mru_token:
-              type: string
             label:
               type: string
           nullable: true
@@ -2681,4 +2677,4 @@ components:
           type: string
           nullable: true
     MfaDisableSuccessResponse:
-      type: string
+      type: string

management/daemon.py

@@ -9,7 +9,7 @@ import auth, utils, mfa
 from mailconfig import get_mail_users, get_mail_users_ex, get_admins, add_mail_user, set_mail_password, remove_mail_user
 from mailconfig import get_mail_user_privileges, add_remove_mail_user_privilege
 from mailconfig import get_mail_aliases, get_mail_aliases_ex, get_mail_domains, add_mail_alias, remove_mail_alias
-from mfa import get_mfa_state, provision_totp, validate_totp_secret, enable_mfa, disable_mfa
+from mfa import get_public_mfa_state, provision_totp, validate_totp_secret, enable_mfa, disable_mfa
 
 env = utils.load_environment()
 
@@ -403,7 +403,7 @@ def ssl_provision_certs():
 @authorized_personnel_only
 def mfa_get_status():
 	return json_response({
-		"enabled_mfa": get_mfa_state(request.user_email, env),
+		"enabled_mfa": get_public_mfa_state(request.user_email, env),
 		"new_mfa": {
 			"totp": provision_totp(request.user_email, env)
 		}

management/mfa.py

@@ -21,6 +21,14 @@ def get_mfa_state(email, env):
 		for r in c.fetchall()
 	]
 
+def get_public_mfa_state(email, env):
+	c = open_database(env)
+	c.execute('SELECT id, type, label FROM mfa WHERE user_id=?', (get_user_id(email, c),))
+	return [
+		{ "id": r[0], "type": r[1], "label": r[2] }
+		for r in c.fetchall()
+	]
+
 def enable_mfa(email, type, secret, token, label, env):
 	if type == "totp":
 		validate_totp_secret(secret)