Hide secret tokens in webhook settings form
Background
Follow-up from https://gitlab.com/gitlab-org/gitlab/-/issues/336154#note_916513332
We have a
url
andtoken
field there, which are encrypted in the DB but shown as clear-text fields in the UI.
Proposal
Use type="password"
for the Secret token
field input. We also have to make sure that the values are not exposed to the frontend, and blank values are correctly handled by the backend (keeping the current value).
We also might need some additional UX (alternative labels/help texts, dummy placeholder) like we have on the integration forms,
The URL is also shown in other places (e.g. the list of webhooks), so it would be trickier to hide that. Also see #218389 (closed) for that.
Availability & Testing
Suggestions:
- Run
package-and-qa
on the MR - Add feature test around WebHook secrets
- Secret field should be a type="password"
-
document.querySelector(<secretfield>).value
should not contain secret
Edited by Sean Gregory