Remove password hint responses from API (#10523)

* Log reloading behavior * Remove hints from responses. changing password implies updating the hint, but no longer displays the old one. This is a security risk for shoulder surfing and breaks the escrow model we have where it is only shared via email when requested. * Update change password hint label
2025-12-15 07:43:35 +00:00 · 2024-08-23 10:51:42 -07:00
parent aa7c9685b6
commit c2829cd71b
7 changed files with 12 additions and 12 deletions
--- a/apps/web/src/app/auth/settings/account/profile.component.ts
+++ b/apps/web/src/app/auth/settings/account/profile.component.ts
@@ -62,10 +62,7 @@ export class ProfileComponent implements OnInit, OnDestroy {
  }

  submit = async () => {
-    const request = new UpdateProfileRequest(
-      this.formGroup.get("name").value,
-      this.profile.masterPasswordHint,
-    );
+    const request = new UpdateProfileRequest(this.formGroup.get("name").value);
    await this.apiService.putProfile(request);
    this.platformUtilsService.showToast("success", null, this.i18nService.t("accountUpdated"));
  };
--- a/apps/web/src/app/auth/settings/change-password.component.html
+++ b/apps/web/src/app/auth/settings/change-password.component.html
@@ -111,7 +111,7 @@
    </div>
  </div>
  <div class="form-group">
-    <label for="masterPasswordHint">{{ "masterPassHintLabel" | i18n }}</label>
+    <label for="masterPasswordHint">{{ "newMasterPassHint" | i18n }}</label>
    <input
      id="masterPasswordHint"
      class="form-control"
--- a/apps/web/src/app/auth/settings/change-password.component.ts
+++ b/apps/web/src/app/auth/settings/change-password.component.ts
@@ -83,7 +83,6 @@ export class ChangePasswordComponent
      this.router.navigate(["/settings/security/two-factor"]);
    }

-    this.masterPasswordHint = (await this.apiService.getProfile()).masterPasswordHint;
    await super.ngOnInit();

    this.characterMinimumMessage = this.i18nService.t("characterMinimum", this.minimumLength);
@@ -138,7 +137,10 @@ export class ChangePasswordComponent
  }

  async submit() {
-    if (this.masterPasswordHint != null && this.masterPasswordHint == this.masterPassword) {
+    if (
+      this.masterPasswordHint != null &&
+      this.masterPasswordHint.toLowerCase() === this.masterPassword.toLowerCase()
+    ) {
      this.platformUtilsService.showToast(
        "error",
        this.i18nService.t("errorOccurred"),
--- a/apps/web/src/locales/en/messages.json
+++ b/apps/web/src/locales/en/messages.json
@@ -905,6 +905,9 @@
  "masterPassHint": {
    "message": "Master password hint (optional)"
  },
+  "newMasterPassHint": {
+    "message": "New master password hint (optional)"
+  },
  "masterPassHintLabel": {
    "message": "Master password hint"
  },