Skip to content

fix: mask sensitive fields #3251

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

fix: mask sensitive fields #3251

wants to merge 4 commits into from
+107 −9

Conversation

@ysinghc
Copy link

@ysinghc ysinghc commented Nov 11, 2025
edited
Loading

Why submit this pull request?

  • Bugfix
  • New feature provided
  • Improve performance
  • Backport patches

What changes will this PR take into?

This PR enhances security by masking sensitive data fields in the APISIX Dashboard UI:

Changes Made:

  1. New PasswordInput Component (PasswordInput.tsx)

    • Created a reusable form component for sensitive data fields
    • Built on Mantine's PasswordInput with proper form validation integration
    • Supports reveal/hide toggle for user convenience while maintaining security

  2. Updated Secret Management Forms (FormPartSecret.tsx)

    • Replaced TextInput with PasswordInput for sensitive fields:
      • Vault secrets: token field
      • AWS secrets: access_key_id, secret_access_key, session_token fields
      • GCP secrets: private_key field

  3. Updated Settings Modal (SettingsModal.tsx)

    • Changed Admin Key input from TextInput to PasswordInput
    • Prevents accidental exposure of admin credentials

  4. Updated E2E Tests

    • Modified test selectors in auth.spec.ts to work with PasswordInput component
    • Updated test.ts authentication helper to use proper selectors

  5. Code Consistency (i18n.ts)

    • Reordered import statements alphabetically for better maintainability

Security Benefits:

  • Passwords, tokens, and keys are now masked by default
  • Reduces risk of shoulder surfing and accidental exposure
  • Maintains usability with toggle visibility option
  • Consistent UX across all sensitive field inputs

Related issues

fixes #3218

Checklist:

  • Did you explain what problem does this PR solve? Or what new features have been added?

    • Problem: Sensitive data (passwords, API keys, tokens) was displayed in plain text in form fields, creating a security risk
    • Solution: Implemented masked password inputs with toggle visibility for all sensitive fields

  • Have you added corresponding test cases?

    • Updated E2E tests in auth.spec.ts and test.ts to work with the new PasswordInput component

  • Have you modified the corresponding document?

    • No documentation changes required as this is a UI improvement that doesn't change the API or user workflows

  • Is this PR backward compatible? If it is not backward compatible, please discuss on the mailing list first

    • Yes, fully backward compatible. This change only affects the UI rendering of form inputs. All data handling, API interactions, and existing configurations remain unchanged.

@ysinghc ysinghc marked this pull request as draft November 11, 2025 20:00
@ysinghc ysinghc marked this pull request as ready for review November 12, 2025 10:30
Baoyuantop
Baoyuantop reviewed Nov 17, 2025
View reviewed changes
Copy link
Contributor

@Baoyuantop Baoyuantop left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another test is needed to verify the password input field switching between showing and hiding.

@ysinghc
Copy link
Author

ysinghc commented Nov 17, 2025

I will add it asap. I am having troubles testing my changes cause my docker container keeps on crashing mid tests, so it might take some time.
sorry for the sloppyness in this PR I will ensure the quality in future contributions.

@ysinghc ysinghc requested a review from Baoyuantop November 17, 2025 18:58
@Baoyuantop Baoyuantop changed the title Fix/mask sensitive fields fix: mask sensitive fields Nov 18, 2025
@Baoyuantop Baoyuantop requested a review from SkyeYoung November 18, 2025 06:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Baoyuantop Baoyuantop Baoyuantop approved these changes

@SkyeYoung SkyeYoung Awaiting requested review from SkyeYoung

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

e2e-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: Sensitive keys and tokens are visible in the APISIX Dashboard

2 participants

@ysinghc @Baoyuantop