Display user's email address in AtLogin (not fully logged in)?

💻 Development
1

When 2FA is enforced and a user has not yet set up any Two-Factor provider, the Login Flow asks the user which they want to enable. I’m working on twofactor_email v3 and have simplified it. If a user has a primary email set, they can just enable it, without verification.

I want to provide some feedback to the user in the AtLogin vue. There (not fully logged in), while enabling the provider ‘enabled’ state, I display the primary email address, so that the user knows which mail account to check. This is what 3.0.3-beta.4 implements.

I managed it using @nextcloud/initial-state. I just wonder whether there is a way to read this user attribute from some JS API without having to provide it on the server side? This would probably weaken 2FA since it reveals information about the user.

So should I remove displaying the primary email address for security reasons?

2

I think, this is for @nickvergessen

1 Like
3

In 3.0.3-beta.5 I added a server-side Filter and only export the email hint to the frontend in this form now: first-character+‘*@*’+TLD (while TLD is only shown if it’s not a local address. So user@domain.deu*@*.de and user@localhostu*@*. This way, it should not be a security concern. If an admin wants higher security, then twofactor_email probably should not be enabled since it’s transport bears inherent risks.