feat: add privacy settings #2072
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add two privacy settings, one that disables account enumeration and one that only returns actual configured login methods of the user.
lfleischmann
approved these changes
Mar 10, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Add two privacy settings, one that disables account enumeration protection (
show_account_existence_hints) and one that only returns actual configured login methods of the user (only_show_actual_login_methods).Although otherwise discussed these two settings also have an effect when email verification is disabled. And therefore the settings are added to a
privacysection in the settings.Implementation
Added some checks that if the settings are enabled an error might be returned e.g. the account or email does not exist.
Tests
Enable and disable email, email.use_for_authentication , username, password and check that errors are returned when user already exists or does not exists and that only authentication methods are returned that the user has configures.
MFA methods are not changed because they are only already returned when they are configured by the user.
Todos
We should add a page in the docs that describes these two settings.