Disable viewing /about if not admin

[theDepart3d]

Is your feature request related to a problem? Please describe.
Yes, it is a security risk having the about view displaying all the app information on a production server

Describe the solution you'd like
The /about view should only be visible by admins and when the app is in debug mode.

[Bubka]

Currently the /about view is visible to authenticated users only. The view contains two information blocks, Environment and User preferences. When authenticated with an admin account, an additional block is visible, Admin settings. I don't think this is a security risk as long as those information are only visible to authenticated user.

[Trapulo]

also Environment is better that is reserved to admins: it allows discovering data about runtime (bug) to standard users (that do not need this kind of information)

[theDepart3d]

Currently the /about view is visible to authenticated users only. The view contains two information blocks, Environment and User preferences. When authenticated with an admin account, an additional block is visible, Admin settings. I don't think this is a security risk as long as those information are only visible to authenticated user.

It might not be a security risk right now but it could be in the future, removing the environment variables would keep servers backend information away from the public if the instance is reachable via WAN.

For Example:

Date: Wed, 21 Feb 2024 08:30:17 
userAgent: -----------
Version: 5.0.3
Environment: production
Install path: /
Debug: false
Cache driver: file
Log channel: daily
Log level:
DB driver: sqlite
PHP version: 8.2.0
Operating system: Linux
interface: apache2handler
Auth guard: web-guard
webauthn user verification: preferred
Trusted proxies: none

If was an attacker. This is what he would now know about my system.

He knows:

1. The server's exact time
2. The 2FAuth version
3. The Environment is set to production
4. Where the install path is (/ = root)
5. The system has disabled debug mode.
6. How the app is handling cache and logging
7. What database i am using.
8. What php version is running on the server, the operating system and the apache2/nginx handler
9. He know knows what auth guard im using
10. he knows webauthn is preffered
11. All my trusted proxies

Knowing all that information can lead to a security risk as there are multiple points of failure:

• OS
• db type
• app version
• php version and interface
• trusted proxies

Something like this would be perfect. leaving out all the backend information on the /about page

[Bubka]

The purpose of those blocks is to easy debugging information collect, so I don't want to totally remove them. As 2FAuth is now multi-user, I agree they could be restricted to administrators. I think I will move the Environment block, as well as the Admin block, to the new admin section I'm working on. I already made the User preferences block visible in this admin section so the About page could be cleared as you suggest indeed.