feat: add password hint endpoint to accounts API for direct retrieval of master password hints

This commit is contained in:
qaz741wsd856 2026-01-11 18:31:20 +00:00
parent 7af0504291
commit fe298c9246
4 changed files with 66 additions and 5 deletions

View file

@ -18,8 +18,8 @@ use crate::{
sync::Profile,
user::{
AvatarData, ChangeKdfRequest, ChangePasswordRequest, MasterPasswordUnlockData,
PasswordOrOtpData, PreloginResponse, ProfileData, RegisterRequest, RotateKeyRequest,
User,
PasswordHintRequest, PasswordOrOtpData, PreloginResponse, ProfileData, RegisterRequest,
RotateKeyRequest, User,
},
},
};
@ -311,6 +311,62 @@ pub async fn send_verification_email() -> Result<Json<String>, AppError> {
Ok(Json("fixed-token-to-mock".to_string()))
}
/// POST /api/accounts/password-hint
///
/// Bitwarden normally sends the master password hint via email. This project does not implement
/// email delivery, so we return the hint directly.
#[worker::send]
pub async fn password_hint(
State(env): State<Arc<Env>>,
headers: HeaderMap,
Json(payload): Json<PasswordHintRequest>,
) -> Result<Json<Value>, AppError> {
// Basic rate limit by IP to slow down bulk email enumeration attempts.
if let Ok(rate_limiter) = env.rate_limiter("LOGIN_RATE_LIMITER") {
let ip = headers
.get("cf-connecting-ip")
.and_then(|v| v.to_str().ok())
.unwrap_or("unknown");
let rate_limit_key = format!("password-hint:{}", ip);
if let Ok(outcome) = rate_limiter.limit(rate_limit_key).await {
if !outcome.success {
return Err(AppError::TooManyRequests(
"Too many requests. Please try again later.".to_string(),
));
}
}
}
const NO_HINT: &str = "Sorry, you have no password hint...";
let db = db::get_db(&env)?;
let email = payload.email.to_lowercase();
let hint: Option<String> = db
.prepare("SELECT master_password_hint FROM users WHERE email = ?1")
.bind(&[email.into()])?
.first(Some("master_password_hint"))
.await
.map_err(|_| AppError::Database)?;
let hint = hint.and_then(|h| {
let trimmed = h.trim();
if trimmed.is_empty() {
None
} else {
Some(trimmed.to_string())
}
});
if let Some(hint) = hint {
return Err(AppError::BadRequest(format!(
"Your password hint is: {hint}"
)));
}
Err(AppError::BadRequest(NO_HINT.to_string()))
}
#[worker::send]
pub async fn revision_date(
claims: Claims,

View file

@ -13,8 +13,6 @@ pub struct Profile {
pub avatar_color: Option<String>,
pub email: String,
pub id: String,
#[serde(skip_serializing_if = "Option::is_none")]
pub master_password_hint: Option<String>,
pub security_stamp: String,
pub object: String,
pub premium_from_organization: bool,
@ -47,7 +45,6 @@ impl Profile {
name: user.name,
avatar_color: user.avatar_color,
email: user.email,
master_password_hint: user.master_password_hint,
security_stamp: user.security_stamp,
object: "profile".to_string(),
premium_from_organization: false,

View file

@ -144,6 +144,13 @@ pub struct RegisterRequest {
pub kdf_parallelism: Option<i32>, // Argon2 parallelism parameter (1-16)
}
// For POST /accounts/password-hint request
#[derive(Debug, Deserialize)]
#[serde(rename_all = "camelCase")]
pub struct PasswordHintRequest {
pub email: String,
}
#[derive(Debug, Deserialize)]
#[serde(rename_all = "camelCase")]
pub struct KeyData {

View file

@ -30,6 +30,7 @@ pub fn api_router(env: Env) -> Router {
.route("/api/sync", get(sync::get_sync_data))
// For on-demand sync checks
.route("/api/accounts/revision-date", get(accounts::revision_date))
.route("/api/accounts/password-hint", post(accounts::password_hint))
.route("/api/accounts/tasks", get(accounts::get_tasks))
.route("/api/accounts/profile", get(accounts::get_profile))
.route("/api/accounts/profile", post(accounts::post_profile))