From 6647dc9bc839d2d50db00c447abee2fb22d21549 Mon Sep 17 00:00:00 2001 From: GoldenFishX Date: Wed, 27 May 2026 11:25:29 +0800 Subject: [PATCH] fix(auth): remove username leak from public /api/auth/status endpoint (#1055) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The authStatus() controller previously returned the first users username to unauthenticated clients. The frontend never used this value — `fetchAuthStatus()` in LoginView.vue discards the return value entirely. Remove the field to prevent username enumeration. Changes: - server: drop `username` from authStatus response body - server: remove unused `findFirstUser` import - client: remove `username` from AuthStatus interface --- packages/client/src/api/auth.ts | 1 - packages/server/src/controllers/auth.ts | 3 --- 2 files changed, 4 deletions(-) diff --git a/packages/client/src/api/auth.ts b/packages/client/src/api/auth.ts index c2ebfd8..dee1d07 100644 --- a/packages/client/src/api/auth.ts +++ b/packages/client/src/api/auth.ts @@ -2,7 +2,6 @@ import { request } from './client' export interface AuthStatus { hasPasswordLogin: boolean - username: string | null hasUsers?: boolean } diff --git a/packages/server/src/controllers/auth.ts b/packages/server/src/controllers/auth.ts index 9a0b8e6..242900b 100644 --- a/packages/server/src/controllers/auth.ts +++ b/packages/server/src/controllers/auth.ts @@ -8,7 +8,6 @@ import { countUsers, createUser, deleteUser, - findFirstUser, findUserById, findUserByUsername, listUsers, @@ -27,10 +26,8 @@ import { listProfileNamesFromDisk } from '../services/hermes/hermes-profile' * Check if username/password login is configured (public). */ export async function authStatus(ctx: Context) { - const firstUser = findFirstUser() ctx.body = { hasPasswordLogin: true, - username: firstUser?.username || DEFAULT_USERNAME, hasUsers: countUsers() > 0, } }