Skip to content

feat(login): add LOGIN_SHOW_TOTP and LOGIN_SHOW_VERSION config flags#520

Open
maartendra wants to merge 1 commit into
bulwarkmail:mainfrom
maartendra:feat/login-show-totp-version
Open

feat(login): add LOGIN_SHOW_TOTP and LOGIN_SHOW_VERSION config flags#520
maartendra wants to merge 1 commit into
bulwarkmail:mainfrom
maartendra:feat/login-show-totp-version

Conversation

@maartendra

Copy link
Copy Markdown
Contributor

What

Adds two opt-out login/branding flags, both default true (no behaviour change for existing deployments):

  • LOGIN_SHOW_TOTP — set false to hide the manual "I have a 2FA code" toggle on the login form.
  • LOGIN_SHOW_VERSION — set false to hide the build version in the login footer.

Refs #519 (covers the two cleanest items from that issue).

Why

  • LOGIN_SHOW_TOTP — when Bulwark's mail server delegates auth to an external directory (LDAP/OIDC) and 2FA lives in the upstream IdP, the server has no per-account TOTP. The manual toggle then only ever leads to a failed login — dead, confusing UI. This lets such deployments hide it. Server-required TOTP is unaffected: when the server returns totp_required, the field still auto-shows (the flag only gates the manual opt-in button).
  • LOGIN_SHOW_VERSION — the footer currently shows the exact build version to unauthenticated visitors, a needless information disclosure (eases CVE targeting). This lets operators turn it off.

How

Wired through the existing config flow, matching the surrounding LOGIN_* options:

  • CONFIG_ENV_MAP in lib/admin/types.ts (two boolean entries, default true)
  • /api/config response (app/api/config/route.ts)
  • useConfig (hooks/use-config.ts)
  • consumed in app/(main)/[locale]/login/page.tsx

Notes

  • Both default true, so existing installs are unchanged.
  • Small diff (4 files, +27/-4), no new deps.
  • I run this branched off main; followed CONTRIBUTING.md conventions. I wasn't able to run npm run typecheck / lint in my environment, but the change mirrors the existing config plumbing 1:1 — happy to adjust to match any conventions I missed.

We run Bulwark in production (white-labelled) and are glad to test patches/iterate.

Two opt-out branding/login flags, both default true (no behaviour change
for existing deployments):

- LOGIN_SHOW_TOTP=false hides the manual "I have a 2FA code" toggle on the
  login form. Deployments that delegate auth to an external directory
  (LDAP/OIDC) where 2FA lives in the IdP have no server-side TOTP, so the
  toggle only ever leads to a failed login. Server-required TOTP
  (totp_required, which auto-shows the field) is unaffected.
- LOGIN_SHOW_VERSION=false hides the build version in the login footer, so
  the exact version isn't disclosed to unauthenticated visitors.

Wired through the existing config registry (CONFIG_ENV_MAP) → /api/config →
useConfig, matching the surrounding LOGIN_* options.

Refs bulwarkmail#519.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant