admin/Hermes-ui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): remove username leak from public /api/auth/status endpoint (#1055)

Browse Source 
The authStatus() controller previously returned the first users
username to unauthenticated clients. The frontend never used this
value — `fetchAuthStatus()` in LoginView.vue discards the return
value entirely. Remove the field to prevent username enumeration.

Changes:
- server: drop `username` from authStatus response body
- server: remove unused `findFirstUser` import
- client: remove `username` from AuthStatus interface
This commit is contained in:
GoldenFishX
2026-05-27 11:25:29 +08:00
committed by GitHub
parent eca06faaa0
commit 6647dc9bc8
2 changed files with 0 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/client/src/api/auth.ts
-1
View File
@@ -2,7 +2,6 @@ import { request } from './client'
export interface AuthStatus { export interface AuthStatus {
hasPasswordLogin: boolean hasPasswordLogin: boolean
username: string | null
hasUsers?: boolean hasUsers?: boolean
} }
packages/server/src/controllers/auth.ts
-3
View File
@@ -8,7 +8,6 @@ import {
countUsers, countUsers,
createUser, createUser,
deleteUser, deleteUser,
findFirstUser,
findUserById, findUserById,
findUserByUsername, findUserByUsername,
listUsers, listUsers,
@@ -27,10 +26,8 @@ import { listProfileNamesFromDisk } from '../services/hermes/hermes-profile'
* Check if username/password login is configured (public). * Check if username/password login is configured (public).
*/ */
export async function authStatus(ctx: Context) { export async function authStatus(ctx: Context) {
const firstUser = findFirstUser()
ctx.body = { ctx.body = {
hasPasswordLogin: true, hasPasswordLogin: true,
username: firstUser?.username || DEFAULT_USERNAME,
hasUsers: countUsers() > 0, hasUsers: countUsers() > 0,
} }
} }