Skip to content

Hide secret tokens in webhook settings form

Background

Follow-up from https://gitlab.com/gitlab-org/gitlab/-/issues/336154#note_916513332

We have a url and token field there, which are encrypted in the DB but shown as clear-text fields in the UI.

image

Proposal

Use type="password" for the Secret token field input. We also have to make sure that the values are not exposed to the frontend, and blank values are correctly handled by the backend (keeping the current value).

We also might need some additional UX (alternative labels/help texts, dummy placeholder) like we have on the integration forms,

The URL is also shown in other places (e.g. the list of webhooks), so it would be trickier to hide that. Also see #218389 (closed) for that.

Availability & Testing

Suggestions:

  • Run package-and-qa on the MR
  • Add feature test around WebHook secrets
    • Secret field should be a type="password"
    • document.querySelector(<secretfield>).value should not contain secret
Edited by Sean Gregory