From ba48ca68fc165be704af50171242f656e79fe685 Mon Sep 17 00:00:00 2001
From: Mathijs van Veluw <black.dex@gmail.com>
Date: Tue, 12 Nov 2024 11:09:28 +0100
Subject: [PATCH] fix hibp username encoding and pw hint check (#5180)

* fix hibp username encoding

Signed-off-by: BlackDex <black.dex@gmail.com>

* Fix password-hint check

Signed-off-by: BlackDex <black.dex@gmail.com>

---------

Signed-off-by: BlackDex <black.dex@gmail.com>
---
 src/api/core/accounts.rs | 2 +-
 src/api/core/mod.rs      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs
index e6654add..4e566bc9 100644
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@@ -842,7 +842,7 @@ struct PasswordHintData {
 
 #[post("/accounts/password-hint", data = "<data>")]
 async fn password_hint(data: Json<PasswordHintData>, mut conn: DbConn) -> EmptyResult {
-    if !CONFIG.mail_enabled() && !CONFIG.show_password_hint() {
+    if !CONFIG.mail_enabled() || !CONFIG.show_password_hint() {
         err!("This server is not configured to provide password hints.");
     }
 
diff --git a/src/api/core/mod.rs b/src/api/core/mod.rs
index 1638afe5..75c63c16 100644
--- a/src/api/core/mod.rs
+++ b/src/api/core/mod.rs
@@ -136,8 +136,8 @@ async fn put_eq_domains(data: Json<EquivDomainData>, headers: Headers, conn: DbC
 
 #[get("/hibp/breach?<username>")]
 async fn hibp_breach(username: &str, _headers: Headers) -> JsonResult {
+    let username: String = url::form_urlencoded::byte_serialize(username.as_bytes()).collect();
     if let Some(api_key) = crate::CONFIG.hibp_api_key() {
-        let username: String = url::form_urlencoded::byte_serialize(username.as_bytes()).collect();
         let url = format!(
             "https://haveibeenpwned.com/api/v3/breachedaccount/{username}?truncateResponse=false&includeUnverified=false"
         );