Password hints not available about vaultwarden HOT 17 CLOSED

Great,

I was planning to dive into a SMTP integration with letter and handlebars.

I'll be on working on that this week!

from vaultwarden.

I hope that #175 will do the job :).

from vaultwarden.

We do save the hint on account creation and we also have find_by_mail implemented for User, so this one should be fairly easy to implement.

from vaultwarden.

The problem is I think that endpoint just sends an email to the user and doesn't return anything, so I'm not sure we can implement it in any way without SMTP support first.

from vaultwarden.

Oh, that makes things a bit more complicated. Maybe we could return an error with the hint as error message then?

from vaultwarden.

That could be possible, it depends on if the web-vault actually shows the error message sent, because in some cases it just shows a generic error message.

from vaultwarden.

Hello,

I'd like to try to solve this one, I'm really excited to try contributing to a rocket-rs based project!

Should I implement it returning the hint into the error response, or could I try to implement a minimal SMTP support ? Following these implementation and configuration ?

from vaultwarden.

Hey, why not both? 😄

Returning the hint in error message is unverified concept. We're not sure the client will display it, but if it's same as the other endpoints, it should. It should be fairly easy to test and implement though, so I'd advise to start with this.

The smtp implementation is going to be quite a lot of code. For example we need to add email verification first otherwise the api could be abused for spam. Also we need to make sure all of this will stay optional.

from vaultwarden.

If it is possible to have the client display a custom error message, how about having the server optionally display the hint there? I know it's quite insecure but it could still be useful for small/single user installations where you are mindful of the hint being public, so it's something that meaningful only to you. This would allow forgetful people, like me, to still get hints without the trouble of setting up SMTP.

from vaultwarden.

Yeah, that's the idea behind the first approach. Server can return error json data with the message as one of the fields. Normally the handler on the client side shows the message as an error notification.

from vaultwarden.

In what form should the option be handled? There can be a boolean option like "show password hint", or the controller could return the hint only in the case of absence of a valid SMTP configuration?

from vaultwarden.

I think separate option (can default to true) would be better. Some people might still want to use this hint hack even with smtp available.

from vaultwarden.

As mprasil pointed out, the web-vault 2.x doesn't show the error message. This hack will then be useless.

Should I try to implement SMTP then ?

from vaultwarden.

There's a lot of functionality that would benefit from SMTP, but it's probably a bit more involved implementation to do that. If you feel like working on this @stammw and as long as it's optional, I'm sure the PR would be appreciated.

from vaultwarden.

Note that we've fixed an issue some time ago to show password hints via error message even in Vault 2.0, so I'm removing the "requires SMTP" tag as the feature currently works. The PR #137 is for extending the functionality to also support sending the hint via email.

from vaultwarden.

Now that #137 is merged, we just need to add appropriate documentation.

from vaultwarden.

Now that it's merged, I think we can finally close this! Great work @stammw and everyone else.

from vaultwarden.