Add dynamic help text for client_secret field on application form

Fixes #1635 - warns users to save their secret on creation,
and informs them it is hashed and unrecoverable when editing.

Author: emmanuelangelo4199

oauth2_provider/forms.py

@@ -1,4 +1,6 @@
 from django import forms
+from django.forms.models import modelform_factory
+from .models import get_application_model
 
 
 class AllowForm(forms.Form):
@@ -26,3 +28,18 @@ class ConfirmLogoutForm(forms.Form):
     def __init__(self, *args, **kwargs):
         self.request = kwargs.pop("request", None)
         super(ConfirmLogoutForm, self).__init__(*args, **kwargs)
+
+
+class ApplicationForm(forms.ModelForm):
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        if self.instance and self.instance.pk:
+            self.fields["client_secret"].help_text = (
+                "⚠️ The client secret has been hashed and can no longer be viewed. "
+                "If you need the original value, you must regenerate it and save it immediately."
+            )
+        else:
+            self.fields["client_secret"].help_text = (
+                "⚠️ Copy and store this secret now. "
+                "Once saved, it will be hashed and cannot be recovered."
+            )

oauth2_provider/views/application.py

@@ -3,8 +3,22 @@
 from django.urls import reverse_lazy
 from django.views.generic import CreateView, DeleteView, DetailView, ListView, UpdateView
 
+from ..forms import ApplicationForm
 from ..models import get_application_model
 
+APPLICATION_FIELDS = (
+    "name",
+    "client_id",
+    "client_secret",
+    "hash_client_secret",
+    "client_type",
+    "authorization_grant_type",
+    "redirect_uris",
+    "post_logout_redirect_uris",
+    "allowed_origins",
+    "algorithm",
+)
+
 
 class ApplicationOwnerIsUserMixin(LoginRequiredMixin):
     """
@@ -25,24 +39,7 @@ class ApplicationRegistration(LoginRequiredMixin, CreateView):
     template_name = "oauth2_provider/application_registration_form.html"
 
     def get_form_class(self):
-        """
-        Returns the form class for the application model
-        """
-        return modelform_factory(
-            get_application_model(),
-            fields=(
-                "name",
-                "client_id",
-                "client_secret",
-                "hash_client_secret",
-                "client_type",
-                "authorization_grant_type",
-                "redirect_uris",
-                "post_logout_redirect_uris",
-                "allowed_origins",
-                "algorithm",
-            ),
-        )
+        return modelform_factory(get_application_model(), form=ApplicationForm, fields=APPLICATION_FIELDS)
 
     def form_valid(self, form):
         form.instance.user = self.request.user
@@ -86,21 +83,4 @@ class ApplicationUpdate(ApplicationOwnerIsUserMixin, UpdateView):
     template_name = "oauth2_provider/application_form.html"
 
     def get_form_class(self):
-        """
-        Returns the form class for the application model
-        """
-        return modelform_factory(
-            get_application_model(),
-            fields=(
-                "name",
-                "client_id",
-                "client_secret",
-                "hash_client_secret",
-                "client_type",
-                "authorization_grant_type",
-                "redirect_uris",
-                "post_logout_redirect_uris",
-                "allowed_origins",
-                "algorithm",
-            ),
-        )
+        return modelform_factory(get_application_model(), form=ApplicationForm, fields=APPLICATION_FIELDS)

tests/test_application_views.py

@@ -281,3 +281,15 @@ def test_application_update(self):
         self.assertEqual(self.app_foo_1.post_logout_redirect_uris, form_data["post_logout_redirect_uris"])
         self.assertEqual(self.app_foo_1.client_type, form_data["client_type"])
         self.assertEqual(self.app_foo_1.authorization_grant_type, form_data["authorization_grant_type"])
+    
+    def test_client_secret_help_text_new_application(self):
+        self.client.login(username="foo_user", password="123456")
+        response = self.client.get(reverse("oauth2_provider:register"))
+        form = response.context["form"]
+        self.assertIn("Copy and store this secret now", form.fields["client_secret"].help_text)
+
+    def test_client_secret_help_text_existing_application(self):
+        self.client.login(username="foo_user", password="123456")
+        response = self.client.get(reverse("oauth2_provider:update", args=(self.app_foo_1.pk,)))
+        form = response.context["form"]
+        self.assertIn("has been hashed", form.fields["client_secret"].help_text)