fix(auth): remove username leak from public /api/auth/status endpoint (#1055)

The authStatus() controller previously returned the first users username to unauthenticated clients. The frontend never used this value — `fetchAuthStatus()` in LoginView.vue discards the return value entirely. Remove the field to prevent username enumeration. Changes: - server: drop `username` from authStatus response body - server: remove unused `findFirstUser` import - client: remove `username` from AuthStatus interface
2026-05-27 11:25:29 +08:00
parent eca06faaa0
commit 6647dc9bc8
2 changed files with 0 additions and 4 deletions
@@ -2,7 +2,6 @@ import { request } from './client'

 export interface AuthStatus {
  hasPasswordLogin: boolean
-  username: string | null
  hasUsers?: boolean
 }