From e927b8aa5ec8f0352bfb2ff95a996a89389959ff Mon Sep 17 00:00:00 2001
From: Mathijs van Veluw <black.dex@gmail.com>
Date: Tue, 12 Nov 2024 15:48:39 +0100
Subject: [PATCH 1/2] Remove auth-request deletion (#5184)

2FA is needed to login even when using login-with-device.
If the user didn't saved the 2FA token they still need to provide this.
We deleted the auth-request after validation the request, but before 2FA was triggered.

Removing the deletion of this record from that point as it will get cleaned-up automatically anyways.

Signed-off-by: BlackDex <black.dex@gmail.com>
---
 src/api/identity.rs | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/src/api/identity.rs b/src/api/identity.rs
index 003e4d97..f2618164 100644
--- a/src/api/identity.rs
+++ b/src/api/identity.rs
@@ -190,9 +190,6 @@ async fn _password_login(
             )
         };
 
-        // Delete the request after we used it
-        auth_request.delete(conn).await?;
-
         if auth_request.user_uuid != user.uuid
             || !auth_request.approved.unwrap_or(false)
             || ip.ip.to_string() != auth_request.request_ip

From adb21d5c1acfef9bd06d1ad9cdf3b916b38b201b Mon Sep 17 00:00:00 2001
From: Stefan Melmuk <509385+stefan0xC@users.noreply.github.com>
Date: Tue, 12 Nov 2024 21:22:25 +0100
Subject: [PATCH 2/2] fix password hint check (#5189)

* fix password hint check

don't show password hints if you have disabled the hints with
PASSWORD_HINTS_ALLOWED=false or if you have not configured mail and
opted into showing password hints

* update descriptions for pw hints options
---
 .env.template            | 7 ++++---
 src/api/core/accounts.rs | 2 +-
 src/config.rs            | 8 ++++----
 3 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/.env.template b/.env.template
index 5a8686d5..075689e9 100644
--- a/.env.template
+++ b/.env.template
@@ -280,12 +280,13 @@
 ## The default for new users. If changed, it will be updated during login for existing users.
 # PASSWORD_ITERATIONS=600000
 
-## Controls whether users can set password hints. This setting applies globally to all users.
+## Controls whether users can set or show password hints. This setting applies globally to all users.
 # PASSWORD_HINTS_ALLOWED=true
 
 ## Controls whether a password hint should be shown directly in the web page if
-## SMTP service is not configured. Not recommended for publicly-accessible instances
-## as this provides unauthenticated access to potentially sensitive data.
+## SMTP service is not configured and password hints are allowed.
+## Not recommended for publicly-accessible instances because this provides
+## unauthenticated access to potentially sensitive data.
 # SHOW_PASSWORD_HINT=false
 
 #########################
diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs
index 4e566bc9..7c3919ad 100644
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@@ -842,7 +842,7 @@ struct PasswordHintData {
 
 #[post("/accounts/password-hint", data = "<data>")]
 async fn password_hint(data: Json<PasswordHintData>, mut conn: DbConn) -> EmptyResult {
-    if !CONFIG.mail_enabled() || !CONFIG.show_password_hint() {
+    if !CONFIG.password_hints_allowed() || (!CONFIG.mail_enabled() && !CONFIG.show_password_hint()) {
         err!("This server is not configured to provide password hints.");
     }
 
diff --git a/src/config.rs b/src/config.rs
index 61a47b76..244499d0 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -497,11 +497,11 @@ make_config! {
         /// Password iterations |> Number of server-side passwords hashing iterations for the password hash.
         /// The default for new users. If changed, it will be updated during login for existing users.
         password_iterations:    i32,    true,   def,    600_000;
-        /// Allow password hints |> Controls whether users can set password hints. This setting applies globally to all users.
+        /// Allow password hints |> Controls whether users can set or show password hints. This setting applies globally to all users.
         password_hints_allowed: bool,   true,   def,    true;
-        /// Show password hint |> Controls whether a password hint should be shown directly in the web page
-        /// if SMTP service is not configured. Not recommended for publicly-accessible instances as this
-        /// provides unauthenticated access to potentially sensitive data.
+        /// Show password hint (Know the risks!) |> Controls whether a password hint should be shown directly in the web page
+        /// if SMTP service is not configured and password hints are allowed. Not recommended for publicly-accessible instances
+        /// because this provides unauthenticated access to potentially sensitive data.
         show_password_hint:     bool,   true,   def,    false;
 
         /// Admin token/Argon2 PHC |> The plain text token or Argon2 PHC string used to authenticate in this very same page. Changing it here will not deauthorize the current session!