return stub user from users/show to unauthorized clients

packages/backend/src/core/entities/UserEntityService.ts

@@ -401,7 +401,7 @@ export class UserEntityService implements OnModuleInit {
 		return `${this.config.url}/users/${userId}`;
 	}
 
-	public async pack<S extends 'MeDetailed' | 'UserDetailedNotMe' | 'UserDetailed' | 'UserLite' = 'UserLite'>(
+	public async pack<S extends 'MeDetailed' | 'UserDetailedNotMe' | 'UserDetailed' | 'UserLite' | 'UserLogin' = 'UserLite'>(
 		src: MiUser['id'] | MiUser,
 		me?: { id: MiUser['id']; } | null | undefined,
 		options?: {
@@ -510,7 +510,30 @@ export class UserEntityService implements OnModuleInit {
 		const checkHost = user.host == null ? this.config.host : user.host;
 		const notificationsInfo = isMe && isDetailed ? await this.getNotificationsInfo(user.id) : null;
 
-		const packed = {
+		const packed = opts.schema === 'UserLogin' ? {
+			id: user.id,
+			name: user.username,
+			username: user.username,
+			host: user.host,
+			avatarUrl: this.getIdenticonUrl(user),
+			noindex: user.noindex,
+			instance: user.host ? this.federatedInstanceService.federatedInstanceCache.fetch(user.host).then(instance => instance ? {
+				name: instance.name,
+				softwareName: instance.softwareName,
+				softwareVersion: instance.softwareVersion,
+				iconUrl: instance.iconUrl,
+				faviconUrl: instance.faviconUrl,
+				themeColor: instance.themeColor,
+			} : undefined) : undefined,
+
+			...(isDetailed ? {
+				twoFactorEnabled: profile!.twoFactorEnabled,
+				usePasswordLessLogin: profile!.usePasswordLessLogin,
+				securityKeys: profile!.twoFactorEnabled
+					? this.userSecurityKeysRepository.countBy({ userId: user.id }).then(result => result >= 1)
+					: false,
+			} : {}),
+		} : {
 			id: user.id,
 			name: user.name,
 			username: user.username,

packages/backend/src/server/api/endpoints/users/show.ts

@@ -16,12 +16,13 @@ import { RoleService } from '@/core/RoleService.js';
 import { ApiError } from '../../error.js';
 import { ApiLoggerService } from '../../ApiLoggerService.js';
 import type { FindOptionsWhere } from 'typeorm';
+import type { Config } from '@/config.js';
 
 export const meta = {
 	tags: ['users'],
 
 	requireCredential: false,
-	requireCredentialSecureMode: true,
+	requireCredentialSecureMode: false, // Handle secure mode below
 
 	description: 'Show the properties of a user.',
 
@@ -83,6 +84,9 @@ export const paramDef = {
 @Injectable()
 export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export
 	constructor(
+		@Inject(DI.config)
+		private config: Config,
+
 		@Inject(DI.usersRepository)
 		private usersRepository: UsersRepository,
 
@@ -148,8 +152,10 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 					}
 				}
 
+				const allowRequest = me != null || !this.config.secureApiMode;
+
 				return await this.userEntityService.pack(user, me, {
-					schema: 'UserDetailed',
+					schema: allowRequest ? 'UserDetailed' : 'UserLogin',
 				});
 			}
 		});