Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secret values in the admin should be obfuscated #6294

Open
jptissot opened this issue May 28, 2020 · 1 comment
Open

Secret values in the admin should be obfuscated #6294

jptissot opened this issue May 28, 2020 · 1 comment
Labels
security
Milestone
2.x

Comments

@jptissot
Copy link
Member

jptissot commented May 28, 2020
edited
Loading

When we input a secret in the admin (google authentication module "API secret key" for example). The value should not be returned to the client when visiting the page a second time. Currently, the secret is decrypted and is passed back to the client in a password field, but the value is available in the browser's dev tools. I think we should instead use a magic string that would tell the server side to leave the previous value untouched if the user saves the form a second time without modifying the value.
@jptissot jptissot changed the title Secret keys should be obfuscated Secret values in the admin should be obfuscated May 28, 2020
@sebastienros sebastienros added this to the 1.0.x milestone Jun 25, 2020
@sebastienros
Copy link
Member

I think it's a good idea. Using blank values has some problems.

@jptissot jptissot mentioned this issue Jun 18, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
2.x
Development

No branches or pull requests
2 participants
@sebastienros @jptissot