feat: add password hint endpoint to accounts API for direct retrieval of master password hints
This commit is contained in:
parent
7af0504291
commit
fe298c9246
4 changed files with 66 additions and 5 deletions
|
|
@ -18,8 +18,8 @@ use crate::{
|
|||
sync::Profile,
|
||||
user::{
|
||||
AvatarData, ChangeKdfRequest, ChangePasswordRequest, MasterPasswordUnlockData,
|
||||
PasswordOrOtpData, PreloginResponse, ProfileData, RegisterRequest, RotateKeyRequest,
|
||||
User,
|
||||
PasswordHintRequest, PasswordOrOtpData, PreloginResponse, ProfileData, RegisterRequest,
|
||||
RotateKeyRequest, User,
|
||||
},
|
||||
},
|
||||
};
|
||||
|
|
@ -311,6 +311,62 @@ pub async fn send_verification_email() -> Result<Json<String>, AppError> {
|
|||
Ok(Json("fixed-token-to-mock".to_string()))
|
||||
}
|
||||
|
||||
/// POST /api/accounts/password-hint
|
||||
///
|
||||
/// Bitwarden normally sends the master password hint via email. This project does not implement
|
||||
/// email delivery, so we return the hint directly.
|
||||
#[worker::send]
|
||||
pub async fn password_hint(
|
||||
State(env): State<Arc<Env>>,
|
||||
headers: HeaderMap,
|
||||
Json(payload): Json<PasswordHintRequest>,
|
||||
) -> Result<Json<Value>, AppError> {
|
||||
// Basic rate limit by IP to slow down bulk email enumeration attempts.
|
||||
if let Ok(rate_limiter) = env.rate_limiter("LOGIN_RATE_LIMITER") {
|
||||
let ip = headers
|
||||
.get("cf-connecting-ip")
|
||||
.and_then(|v| v.to_str().ok())
|
||||
.unwrap_or("unknown");
|
||||
let rate_limit_key = format!("password-hint:{}", ip);
|
||||
if let Ok(outcome) = rate_limiter.limit(rate_limit_key).await {
|
||||
if !outcome.success {
|
||||
return Err(AppError::TooManyRequests(
|
||||
"Too many requests. Please try again later.".to_string(),
|
||||
));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
const NO_HINT: &str = "Sorry, you have no password hint...";
|
||||
|
||||
let db = db::get_db(&env)?;
|
||||
let email = payload.email.to_lowercase();
|
||||
|
||||
let hint: Option<String> = db
|
||||
.prepare("SELECT master_password_hint FROM users WHERE email = ?1")
|
||||
.bind(&[email.into()])?
|
||||
.first(Some("master_password_hint"))
|
||||
.await
|
||||
.map_err(|_| AppError::Database)?;
|
||||
|
||||
let hint = hint.and_then(|h| {
|
||||
let trimmed = h.trim();
|
||||
if trimmed.is_empty() {
|
||||
None
|
||||
} else {
|
||||
Some(trimmed.to_string())
|
||||
}
|
||||
});
|
||||
|
||||
if let Some(hint) = hint {
|
||||
return Err(AppError::BadRequest(format!(
|
||||
"Your password hint is: {hint}"
|
||||
)));
|
||||
}
|
||||
|
||||
Err(AppError::BadRequest(NO_HINT.to_string()))
|
||||
}
|
||||
|
||||
#[worker::send]
|
||||
pub async fn revision_date(
|
||||
claims: Claims,
|
||||
|
|
|
|||
|
|
@ -13,8 +13,6 @@ pub struct Profile {
|
|||
pub avatar_color: Option<String>,
|
||||
pub email: String,
|
||||
pub id: String,
|
||||
#[serde(skip_serializing_if = "Option::is_none")]
|
||||
pub master_password_hint: Option<String>,
|
||||
pub security_stamp: String,
|
||||
pub object: String,
|
||||
pub premium_from_organization: bool,
|
||||
|
|
@ -47,7 +45,6 @@ impl Profile {
|
|||
name: user.name,
|
||||
avatar_color: user.avatar_color,
|
||||
email: user.email,
|
||||
master_password_hint: user.master_password_hint,
|
||||
security_stamp: user.security_stamp,
|
||||
object: "profile".to_string(),
|
||||
premium_from_organization: false,
|
||||
|
|
|
|||
|
|
@ -144,6 +144,13 @@ pub struct RegisterRequest {
|
|||
pub kdf_parallelism: Option<i32>, // Argon2 parallelism parameter (1-16)
|
||||
}
|
||||
|
||||
// For POST /accounts/password-hint request
|
||||
#[derive(Debug, Deserialize)]
|
||||
#[serde(rename_all = "camelCase")]
|
||||
pub struct PasswordHintRequest {
|
||||
pub email: String,
|
||||
}
|
||||
|
||||
#[derive(Debug, Deserialize)]
|
||||
#[serde(rename_all = "camelCase")]
|
||||
pub struct KeyData {
|
||||
|
|
|
|||
|
|
@ -30,6 +30,7 @@ pub fn api_router(env: Env) -> Router {
|
|||
.route("/api/sync", get(sync::get_sync_data))
|
||||
// For on-demand sync checks
|
||||
.route("/api/accounts/revision-date", get(accounts::revision_date))
|
||||
.route("/api/accounts/password-hint", post(accounts::password_hint))
|
||||
.route("/api/accounts/tasks", get(accounts::get_tasks))
|
||||
.route("/api/accounts/profile", get(accounts::get_profile))
|
||||
.route("/api/accounts/profile", post(accounts::post_profile))
|
||||
|
|
|
|||
Loading…
Reference in a new issue