Don't expose mru_token and secret for enabled mfas over HTTP
This commit is contained in:
parent
00b3a3b0a9
commit
be5032ffbe
|
@ -2637,10 +2637,6 @@ components:
|
|||
type: string
|
||||
type:
|
||||
type: string
|
||||
secret:
|
||||
type: string
|
||||
mru_token:
|
||||
type: string
|
||||
label:
|
||||
type: string
|
||||
nullable: true
|
||||
|
|
|
@ -9,7 +9,7 @@ import auth, utils, mfa
|
|||
from mailconfig import get_mail_users, get_mail_users_ex, get_admins, add_mail_user, set_mail_password, remove_mail_user
|
||||
from mailconfig import get_mail_user_privileges, add_remove_mail_user_privilege
|
||||
from mailconfig import get_mail_aliases, get_mail_aliases_ex, get_mail_domains, add_mail_alias, remove_mail_alias
|
||||
from mfa import get_mfa_state, provision_totp, validate_totp_secret, enable_mfa, disable_mfa
|
||||
from mfa import get_public_mfa_state, provision_totp, validate_totp_secret, enable_mfa, disable_mfa
|
||||
|
||||
env = utils.load_environment()
|
||||
|
||||
|
@ -403,7 +403,7 @@ def ssl_provision_certs():
|
|||
@authorized_personnel_only
|
||||
def mfa_get_status():
|
||||
return json_response({
|
||||
"enabled_mfa": get_mfa_state(request.user_email, env),
|
||||
"enabled_mfa": get_public_mfa_state(request.user_email, env),
|
||||
"new_mfa": {
|
||||
"totp": provision_totp(request.user_email, env)
|
||||
}
|
||||
|
|
|
@ -21,6 +21,14 @@ def get_mfa_state(email, env):
|
|||
for r in c.fetchall()
|
||||
]
|
||||
|
||||
def get_public_mfa_state(email, env):
|
||||
c = open_database(env)
|
||||
c.execute('SELECT id, type, label FROM mfa WHERE user_id=?', (get_user_id(email, c),))
|
||||
return [
|
||||
{ "id": r[0], "type": r[1], "label": r[2] }
|
||||
for r in c.fetchall()
|
||||
]
|
||||
|
||||
def enable_mfa(email, type, secret, token, label, env):
|
||||
if type == "totp":
|
||||
validate_totp_secret(secret)
|
||||
|
|
Loading…
Reference in New Issue