WordPress.org
Get WordPress

Make WordPress Core

Opened 4 weeks ago

Closed 4 weeks ago

#64793 closed defect (bug) (fixed)

Options: Mask connector API keys on All Options screen

Reported by: jorgefilipecosta's profile jorgefilipecosta Owned by: jorgefilipecosta's profile jorgefilipecosta
Milestone: 7.0 Priority: normal
Severity: normal Version: trunk
Component: General Keywords: has-patch
Focuses: Cc:

Description

Description

Connector API keys are visible in plain text on the All Options screen
(wp-admin/options.php). The connectors system masks keys via
option_{$option_name} filter, but options.php queries the database
directly, bypassing get_option().

Steps to Reproduce

  1. Configure a connector API key via Settings > Connectors
  2. Navigate to wp-admin/options.php
  3. Search for connectors_

Proposed Solution

Add an elseif branch that masks options matching connectors_*_api_key
using the existing _wp_connectors_mask_api_key() function.

PR: https://github.com/WordPress/wordpress-develop/pull/11158

Change History (3)

This ticket was mentioned in PR #11158 on WordPress/wordpress-develop by @jorgefilipecosta.
4 weeks ago #1

## Summary

  • Masks connector API keys on the wp-admin/options.php page using the existing _wp_connectors_mask_api_key() function
  • Keys matching connectors_*_api_key pattern are displayed with bullets + last 4 chars
  • Fields are disabled and excluded from form submission

Ticket: https://core.trac.wordpress.org/ticket/64793#ticket

## Test plan

  • [ ] Navigate to wp-admin/options.php
  • [ ] Verify connector API keys show masked values (e.g., ••••••••••••PDU')
  • [ ] Verify the fields are disabled
  • [ ] Verify the Connectors settings page still works normally

## Screenshot
https://github.com/user-attachments/assets/b7127784-ac78-4845-b57d-d0258e16eb80

#2 @westonruter
4 weeks ago

An alternative would be to store all the keys in a single connectors_api_keys option, which would result in them getting stored as a serialized array, and thus appear as SERIALIZED DATA on the options.php screen.

#3 @jorgefilipecosta
4 weeks ago

  • Owner set to jorgefilipecosta
  • Resolution set to fixed
  • Status changed from new to closed

In 61829:

Options: Mask connector API keys on All Options screen.

Connector API keys were visible in plain text on wp-admin/options.php
because it queries the database directly, bypassing the get_option()
filter that normally masks these values.
This adds masking for options matching the connectors_*_api_key pattern
using the existing _wp_connectors_mask_api_key() function, and disables
editing from this screen.

Props jorgefilipecosta, gziolo, ocean90.
Fixes #64793.

Note: See TracTickets for help on using tickets.