Merge pull request #389 from JLG-WOCFR-DEV/codex/mask-secrets-in-s3-and-google-sheets-settings

JLG-WOCFR-DEV · web-flow · commit ddfa05c4c8fb · 2025-10-14T14:04:10.000+02:00
Mask sensitive credentials in export REST endpoints
diff --git a/liens-morts-detector-jlg/assets/js/blc-admin-scripts.js b/liens-morts-detector-jlg/assets/js/blc-admin-scripts.js
@@ -192,6 +192,41 @@ jQuery(document).ready(function($) {
     })();
 
     window.blcAdmin = window.blcAdmin || {};
+    window.blcAdmin.integrations = window.blcAdmin.integrations || {};
+
+    window.blcAdmin.integrations.hasStoredCredential = function(settings, key) {
+        if (!settings || typeof key !== 'string') {
+            return false;
+        }
+
+        var flag = 'has_' + key;
+        if (Object.prototype.hasOwnProperty.call(settings, flag)) {
+            return !!settings[flag];
+        }
+
+        var value = settings[key];
+
+        return typeof value === 'string' && value !== '';
+    };
+
+    window.blcAdmin.integrations.getMaskedValue = function(settings, key, placeholder) {
+        var hasFlag = false;
+
+        if (settings && typeof key === 'string') {
+            var flag = 'has_' + key;
+            hasFlag = Object.prototype.hasOwnProperty.call(settings, flag);
+        }
+
+        if (hasFlag && window.blcAdmin.integrations.hasStoredCredential(settings, key)) {
+            return typeof placeholder === 'string' && placeholder !== '' ? placeholder : '••••••••';
+        }
+
+        if (settings && typeof settings[key] === 'string') {
+            return settings[key];
+        }
+
+        return '';
+    };
 
     var toast = (function() {
         var $container = null;
diff --git a/liens-morts-detector-jlg/includes/blc-google-sheets.php b/liens-morts-detector-jlg/includes/blc-google-sheets.php
@@ -130,6 +130,30 @@ function blc_update_google_sheets_settings(array $settings)
     }
 }
 
+if (!function_exists('blc_google_sheets_prepare_settings_for_response')) {
+    /**
+     * Prepare Google Sheets settings returned by REST endpoints by masking secrets.
+     *
+     * @param array<string,mixed> $settings
+     *
+     * @return array<string,mixed>
+     */
+    function blc_google_sheets_prepare_settings_for_response(array $settings)
+    {
+        $prepared = $settings;
+
+        $prepared['has_client_secret'] = $settings['client_secret'] !== '';
+        $prepared['has_access_token'] = $settings['access_token'] !== '';
+        $prepared['has_refresh_token'] = $settings['refresh_token'] !== '';
+
+        $prepared['client_secret'] = null;
+        $prepared['access_token'] = null;
+        $prepared['refresh_token'] = null;
+
+        return $prepared;
+    }
+}
+
 if (!function_exists('blc_is_google_sheets_integration_enabled')) {
     /**
      * Determine if the Google Sheets connector is configured.
@@ -588,7 +612,7 @@ function blc_rest_manage_google_sheets_permissions()
      */
     function blc_rest_get_google_sheets_settings()
     {
-        return rest_ensure_response(blc_get_google_sheets_settings());
+        return rest_ensure_response(blc_google_sheets_prepare_settings_for_response(blc_get_google_sheets_settings()));
     }
 }
 
@@ -618,7 +642,11 @@ function blc_rest_update_google_sheets_settings(\WP_REST_Request $request)
         }
 
         foreach (['spreadsheet_id', 'client_id', 'client_secret'] as $key) {
-            if (isset($params[$key])) {
+            if (array_key_exists($key, $params)) {
+                if ($key === 'client_secret' && $params[$key] === null) {
+                    continue;
+                }
+
                 $current[$key] = blc_google_sheets_sanitize_text($params[$key]);
             }
         }
@@ -636,7 +664,7 @@ function blc_rest_update_google_sheets_settings(\WP_REST_Request $request)
 
         $updated = blc_update_google_sheets_settings($current);
 
-        return rest_ensure_response($updated);
+        return rest_ensure_response(blc_google_sheets_prepare_settings_for_response($updated));
     }
 }
 
@@ -685,7 +713,7 @@ function blc_rest_store_google_sheets_token(\WP_REST_Request $request)
 
         $updated = blc_update_google_sheets_settings($settings);
 
-        return rest_ensure_response($updated);
+        return rest_ensure_response(blc_google_sheets_prepare_settings_for_response($updated));
     }
 }
 
diff --git a/liens-morts-detector-jlg/includes/blc-s3-exports.php b/liens-morts-detector-jlg/includes/blc-s3-exports.php
@@ -169,6 +169,30 @@ function blc_update_s3_settings(array $settings)
     }
 }
 
+if (!function_exists('blc_s3_prepare_settings_for_response')) {
+    /**
+     * Prepare settings returned by REST endpoints by masking credentials.
+     *
+     * @param array<string,mixed> $settings
+     *
+     * @return array<string,mixed>
+     */
+    function blc_s3_prepare_settings_for_response(array $settings)
+    {
+        $prepared = $settings;
+
+        $prepared['has_access_key_id'] = $settings['access_key_id'] !== '';
+        $prepared['has_secret_access_key'] = $settings['secret_access_key'] !== '';
+        $prepared['has_session_token'] = $settings['session_token'] !== '';
+
+        $prepared['access_key_id'] = null;
+        $prepared['secret_access_key'] = null;
+        $prepared['session_token'] = null;
+
+        return $prepared;
+    }
+}
+
 if (!function_exists('blc_is_s3_integration_enabled')) {
     /**
      * Determine if the S3 connector is configured.
@@ -669,7 +693,7 @@ function blc_rest_manage_s3_permissions()
      */
     function blc_rest_get_s3_settings()
     {
-        return rest_ensure_response(blc_get_s3_settings());
+        return rest_ensure_response(blc_s3_prepare_settings_for_response(blc_get_s3_settings()));
     }
 }
 
@@ -699,22 +723,26 @@ function blc_rest_update_s3_settings(\WP_REST_Request $request)
         }
 
         foreach (['bucket', 'region'] as $key) {
-            if (isset($params[$key])) {
+            if (array_key_exists($key, $params)) {
                 $current[$key] = blc_s3_sanitize_text($params[$key]);
             }
         }
 
-        if (isset($params['endpoint'])) {
+        if (array_key_exists('endpoint', $params)) {
             $current['endpoint'] = blc_s3_sanitize_text($params['endpoint'], ['allow_url' => true]);
         }
 
         foreach (['access_key_id', 'secret_access_key', 'session_token'] as $credential_key) {
-            if (isset($params[$credential_key])) {
+            if (array_key_exists($credential_key, $params)) {
+                if ($params[$credential_key] === null) {
+                    continue;
+                }
+
                 $current[$credential_key] = blc_s3_sanitize_credential($params[$credential_key]);
             }
         }
 
-        if (isset($params['object_prefix'])) {
+        if (array_key_exists('object_prefix', $params)) {
             $current['object_prefix'] = blc_s3_normalize_object_prefix($params['object_prefix']);
         }
 
@@ -729,7 +757,7 @@ function blc_rest_update_s3_settings(\WP_REST_Request $request)
 
         $updated = blc_update_s3_settings($current);
 
-        return rest_ensure_response($updated);
+        return rest_ensure_response(blc_s3_prepare_settings_for_response($updated));
     }
 }
 
diff --git a/tests/BlcGoogleSheetsConnectorTest.php b/tests/BlcGoogleSheetsConnectorTest.php
@@ -67,6 +67,7 @@ protected function setUp(): void
 
         require_once __DIR__ . '/translation-stubs.php';
         require_once __DIR__ . '/wp-option-stubs.php';
+        require_once __DIR__ . '/stubs/rest-request-stub.php';
 
         if (!defined('ABSPATH')) {
             define('ABSPATH', __DIR__ . '/../');
@@ -225,6 +226,85 @@ public function test_handle_report_export_pushes_values_to_google_sheets(): void
         $this->assertSame(['dataset', 'url'], $payload['data'][0]['values'][0]);
         $this->assertSame(['link', 'https://example.com'], $payload['data'][0]['values'][1]);
     }
+
+    public function test_rest_get_settings_masks_google_credentials(): void
+    {
+        $this->options['blc_google_sheets_settings'] = [
+            'enabled'       => true,
+            'spreadsheet_id'=> 'spreadsheet-123',
+            'client_id'     => 'client-1',
+            'client_secret' => 'secret-1',
+            'access_token'  => 'token-1',
+            'refresh_token' => 'refresh-1',
+        ];
+
+        $response = \blc_rest_get_google_sheets_settings();
+
+        $this->assertNull($response['client_secret']);
+        $this->assertNull($response['access_token']);
+        $this->assertNull($response['refresh_token']);
+        $this->assertTrue($response['has_client_secret']);
+        $this->assertTrue($response['has_access_token']);
+        $this->assertTrue($response['has_refresh_token']);
+    }
+
+    public function test_rest_update_settings_preserves_client_secret_when_omitted(): void
+    {
+        $this->options['blc_google_sheets_settings'] = [
+            'enabled'       => true,
+            'spreadsheet_id'=> 'spreadsheet-123',
+            'client_id'     => 'client-1',
+            'client_secret' => 'secret-1',
+        ];
+
+        $request = new \WP_REST_Request(
+            ['spreadsheet_id' => 'updated-sheet'],
+            ['spreadsheet_id' => 'updated-sheet']
+        );
+
+        $response = \blc_rest_update_google_sheets_settings($request);
+
+        $settings = \blc_get_google_sheets_settings();
+
+        $this->assertSame('updated-sheet', $settings['spreadsheet_id']);
+        $this->assertSame('secret-1', $settings['client_secret']);
+        $this->assertNull($response['client_secret']);
+        $this->assertTrue($response['has_client_secret']);
+    }
+
+    public function test_rest_store_token_masks_response(): void
+    {
+        $this->options['blc_google_sheets_settings'] = [
+            'enabled'       => true,
+            'spreadsheet_id'=> 'spreadsheet-123',
+            'client_id'     => 'client-1',
+            'client_secret' => 'secret-1',
+        ];
+
+        $request = new \WP_REST_Request(
+            [
+                'access_token'  => 'new-token',
+                'refresh_token' => 'refresh-2',
+                'expires_in'    => 1800,
+            ],
+            [
+                'access_token'  => 'new-token',
+                'refresh_token' => 'refresh-2',
+                'expires_in'    => 1800,
+            ]
+        );
+
+        $response = \blc_rest_store_google_sheets_token($request);
+
+        $settings = \blc_get_google_sheets_settings();
+
+        $this->assertSame('new-token', $settings['access_token']);
+        $this->assertSame('refresh-2', $settings['refresh_token']);
+        $this->assertNull($response['access_token']);
+        $this->assertNull($response['refresh_token']);
+        $this->assertTrue($response['has_access_token']);
+        $this->assertTrue($response['has_refresh_token']);
+    }
 }
 
 }
diff --git a/tests/BlcS3ExportConnectorTest.php b/tests/BlcS3ExportConnectorTest.php
@@ -69,6 +69,7 @@ protected function setUp(): void
 
         require_once __DIR__ . '/translation-stubs.php';
         require_once __DIR__ . '/wp-option-stubs.php';
+        require_once __DIR__ . '/stubs/rest-request-stub.php';
 
         if (!defined('ABSPATH')) {
             define('ABSPATH', __DIR__ . '/../');
@@ -191,6 +192,93 @@ public function test_handle_report_export_stores_error_on_failure(): void
         $this->assertSame('s3_error', $settings['last_error_code']);
         $this->assertSame('Unable to upload', $settings['last_error']);
     }
+
+    public function test_rest_get_settings_masks_s3_credentials(): void
+    {
+        $this->options['blc_s3_export_settings'] = [
+            'enabled'           => true,
+            'bucket'            => 'reports-bucket',
+            'region'            => 'eu-west-3',
+            'access_key_id'     => 'AKIAIOSAMPLE',
+            'secret_access_key' => 'very-secret',
+            'session_token'     => 'temporary-token',
+        ];
+
+        $response = \blc_rest_get_s3_settings();
+
+        $this->assertNull($response['access_key_id']);
+        $this->assertNull($response['secret_access_key']);
+        $this->assertNull($response['session_token']);
+        $this->assertTrue($response['has_access_key_id']);
+        $this->assertTrue($response['has_secret_access_key']);
+        $this->assertTrue($response['has_session_token']);
+    }
+
+    public function test_rest_update_settings_preserves_credentials_when_omitted(): void
+    {
+        $this->options['blc_s3_export_settings'] = [
+            'enabled'           => true,
+            'bucket'            => 'reports-bucket',
+            'region'            => 'eu-west-3',
+            'access_key_id'     => 'AKIAIOSAMPLE',
+            'secret_access_key' => 'very-secret',
+        ];
+
+        $request = new \WP_REST_Request(
+            ['bucket' => 'updated-bucket'],
+            ['bucket' => 'updated-bucket']
+        );
+
+        $response = \blc_rest_update_s3_settings($request);
+
+        $settings = \blc_get_s3_settings();
+
+        $this->assertSame('updated-bucket', $settings['bucket']);
+        $this->assertSame('AKIAIOSAMPLE', $settings['access_key_id']);
+        $this->assertSame('very-secret', $settings['secret_access_key']);
+        $this->assertTrue($response['has_access_key_id']);
+        $this->assertTrue($response['has_secret_access_key']);
+        $this->assertNull($response['access_key_id']);
+        $this->assertNull($response['secret_access_key']);
+    }
+
+    public function test_rest_update_settings_accepts_new_credentials(): void
+    {
+        $this->options['blc_s3_export_settings'] = [
+            'enabled'           => true,
+            'bucket'            => 'reports-bucket',
+            'region'            => 'eu-west-3',
+            'access_key_id'     => 'AKIAIOSAMPLE',
+            'secret_access_key' => 'very-secret',
+        ];
+
+        $request = new \WP_REST_Request(
+            [
+                'access_key_id'     => 'NEWKEY',
+                'secret_access_key' => 'new-secret',
+                'session_token'     => 'new-token',
+            ],
+            [
+                'access_key_id'     => 'NEWKEY',
+                'secret_access_key' => 'new-secret',
+                'session_token'     => 'new-token',
+            ]
+        );
+
+        $response = \blc_rest_update_s3_settings($request);
+
+        $settings = \blc_get_s3_settings();
+
+        $this->assertSame('NEWKEY', $settings['access_key_id']);
+        $this->assertSame('new-secret', $settings['secret_access_key']);
+        $this->assertSame('new-token', $settings['session_token']);
+        $this->assertTrue($response['has_access_key_id']);
+        $this->assertTrue($response['has_secret_access_key']);
+        $this->assertTrue($response['has_session_token']);
+        $this->assertNull($response['access_key_id']);
+        $this->assertNull($response['secret_access_key']);
+        $this->assertNull($response['session_token']);
+    }
 }
 
 }
diff --git a/tests/js/__tests__/blc-admin-scripts.test.js b/tests/js/__tests__/blc-admin-scripts.test.js
diff --git a/tests/stubs/rest-request-stub.php b/tests/stubs/rest-request-stub.php

Original file line number	Diff line number	Diff line change
`@@ -130,6 +130,30 @@ function blc_update_google_sheets_settings(array $settings)`
`130`	`130`	`}`
`131`	`131`	`}`
`132`	`132`
	`133`	`+if (!function_exists('blc_google_sheets_prepare_settings_for_response')) {`
	`134`	`+ /**`
	`135`	`+ * Prepare Google Sheets settings returned by REST endpoints by masking secrets.`
	`136`	`+ *`
	`137`	`+ * @param array<string,mixed> $settings`
	`138`	`+ *`
	`139`	`+ * @return array<string,mixed>`
	`140`	`+ */`
	`141`	`+ function blc_google_sheets_prepare_settings_for_response(array $settings)`
	`142`	`+ {`
	`143`	`+ $prepared = $settings;`
	`144`	`+`
	`145`	`+ $prepared['has_client_secret'] = $settings['client_secret'] !== '';`
	`146`	`+ $prepared['has_access_token'] = $settings['access_token'] !== '';`
	`147`	`+ $prepared['has_refresh_token'] = $settings['refresh_token'] !== '';`
	`148`	`+`
	`149`	`+ $prepared['client_secret'] = null;`
	`150`	`+ $prepared['access_token'] = null;`
	`151`	`+ $prepared['refresh_token'] = null;`
	`152`	`+`
	`153`	`+ return $prepared;`
	`154`	`+ }`
	`155`	`+}`
	`156`	`+`
`133`	`157`	`if (!function_exists('blc_is_google_sheets_integration_enabled')) {`
`134`	`158`	`/**`
`135`	`159`	`* Determine if the Google Sheets connector is configured.`
`@@ -588,7 +612,7 @@ function blc_rest_manage_google_sheets_permissions()`
`588`	`612`	`*/`
`589`	`613`	`function blc_rest_get_google_sheets_settings()`
`590`	`614`	`{`
`591`		`- return rest_ensure_response(blc_get_google_sheets_settings());`
	`615`	`+ return rest_ensure_response(blc_google_sheets_prepare_settings_for_response(blc_get_google_sheets_settings()));`
`592`	`616`	`}`
`593`	`617`	`}`
`594`	`618`
`@@ -618,7 +642,11 @@ function blc_rest_update_google_sheets_settings(\WP_REST_Request $request)`
`618`	`642`	`}`
`619`	`643`
`620`	`644`	`foreach (['spreadsheet_id', 'client_id', 'client_secret'] as $key) {`
`621`		`- if (isset($params[$key])) {`
	`645`	`+ if (array_key_exists($key, $params)) {`
	`646`	`+ if ($key === 'client_secret' && $params[$key] === null) {`
	`647`	`+ continue;`
	`648`	`+ }`
	`649`	`+`
`622`	`650`	`$current[$key] = blc_google_sheets_sanitize_text($params[$key]);`
`623`	`651`	`}`
`624`	`652`	`}`
`@@ -636,7 +664,7 @@ function blc_rest_update_google_sheets_settings(\WP_REST_Request $request)`
`636`	`664`
`637`	`665`	`$updated = blc_update_google_sheets_settings($current);`
`638`	`666`
`639`		`- return rest_ensure_response($updated);`
	`667`	`+ return rest_ensure_response(blc_google_sheets_prepare_settings_for_response($updated));`
`640`	`668`	`}`
`641`	`669`	`}`
`642`	`670`
`@@ -685,7 +713,7 @@ function blc_rest_store_google_sheets_token(\WP_REST_Request $request)`
`685`	`713`
`686`	`714`	`$updated = blc_update_google_sheets_settings($settings);`
`687`	`715`
`688`		`- return rest_ensure_response($updated);`
	`716`	`+ return rest_ensure_response(blc_google_sheets_prepare_settings_for_response($updated));`
`689`	`717`	`}`
`690`	`718`	`}`
`691`	`719`
Original file line number	Diff line number	Diff line change
`@@ -169,6 +169,30 @@ function blc_update_s3_settings(array $settings)`
`169`	`169`	`}`
`170`	`170`	`}`
`171`	`171`
	`172`	`+if (!function_exists('blc_s3_prepare_settings_for_response')) {`
	`173`	`+ /**`
	`174`	`+ * Prepare settings returned by REST endpoints by masking credentials.`
	`175`	`+ *`
	`176`	`+ * @param array<string,mixed> $settings`
	`177`	`+ *`
	`178`	`+ * @return array<string,mixed>`
	`179`	`+ */`
	`180`	`+ function blc_s3_prepare_settings_for_response(array $settings)`
	`181`	`+ {`
	`182`	`+ $prepared = $settings;`
	`183`	`+`
	`184`	`+ $prepared['has_access_key_id'] = $settings['access_key_id'] !== '';`
	`185`	`+ $prepared['has_secret_access_key'] = $settings['secret_access_key'] !== '';`
	`186`	`+ $prepared['has_session_token'] = $settings['session_token'] !== '';`
	`187`	`+`
	`188`	`+ $prepared['access_key_id'] = null;`
	`189`	`+ $prepared['secret_access_key'] = null;`
	`190`	`+ $prepared['session_token'] = null;`
	`191`	`+`
	`192`	`+ return $prepared;`
	`193`	`+ }`
	`194`	`+}`
	`195`	`+`
`172`	`196`	`if (!function_exists('blc_is_s3_integration_enabled')) {`
`173`	`197`	`/**`
`174`	`198`	`* Determine if the S3 connector is configured.`
`@@ -669,7 +693,7 @@ function blc_rest_manage_s3_permissions()`
`669`	`693`	`*/`
`670`	`694`	`function blc_rest_get_s3_settings()`
`671`	`695`	`{`
`672`		`- return rest_ensure_response(blc_get_s3_settings());`
	`696`	`+ return rest_ensure_response(blc_s3_prepare_settings_for_response(blc_get_s3_settings()));`
`673`	`697`	`}`
`674`	`698`	`}`
`675`	`699`
`@@ -699,22 +723,26 @@ function blc_rest_update_s3_settings(\WP_REST_Request $request)`
`699`	`723`	`}`
`700`	`724`
`701`	`725`	`foreach (['bucket', 'region'] as $key) {`
`702`		`- if (isset($params[$key])) {`
	`726`	`+ if (array_key_exists($key, $params)) {`
`703`	`727`	`$current[$key] = blc_s3_sanitize_text($params[$key]);`
`704`	`728`	`}`
`705`	`729`	`}`
`706`	`730`
`707`		`- if (isset($params['endpoint'])) {`
	`731`	`+ if (array_key_exists('endpoint', $params)) {`
`708`	`732`	`$current['endpoint'] = blc_s3_sanitize_text($params['endpoint'], ['allow_url' => true]);`
`709`	`733`	`}`
`710`	`734`
`711`	`735`	`foreach (['access_key_id', 'secret_access_key', 'session_token'] as $credential_key) {`
`712`		`- if (isset($params[$credential_key])) {`
	`736`	`+ if (array_key_exists($credential_key, $params)) {`
	`737`	`+ if ($params[$credential_key] === null) {`
	`738`	`+ continue;`
	`739`	`+ }`
	`740`	`+`
`713`	`741`	`$current[$credential_key] = blc_s3_sanitize_credential($params[$credential_key]);`
`714`	`742`	`}`
`715`	`743`	`}`
`716`	`744`
`717`		`- if (isset($params['object_prefix'])) {`
	`745`	`+ if (array_key_exists('object_prefix', $params)) {`
`718`	`746`	`$current['object_prefix'] = blc_s3_normalize_object_prefix($params['object_prefix']);`
`719`	`747`	`}`
`720`	`748`
`@@ -729,7 +757,7 @@ function blc_rest_update_s3_settings(\WP_REST_Request $request)`
`729`	`757`
`730`	`758`	`$updated = blc_update_s3_settings($current);`
`731`	`759`
`732`		`- return rest_ensure_response($updated);`
	`760`	`+ return rest_ensure_response(blc_s3_prepare_settings_for_response($updated));`
`733`	`761`	`}`
`734`	`762`	`}`
`735`	`763`