Secrets are viewable in plaintext in AppDaemon dashboard via app arguments

[HomerAssistant]

What happened?

I am able to see secrets I've provided an application as arguments in my apps.yaml file. I specify the secrets in secrets.yaml and use !secret var_name in apps.yaml. However, I can still see the secret by navigating to the AppDaemon dashboard on port 5050 and viewing the app's arguments. The dashboard is accessible without a username or password on the local network. Please advise if there is a way to prevent this?

Clicking this discloses the secrets.

Version

4.4.2

Installation type

Home Assistant add-on

Relevant log output

No response

Relevant code in the app or config file that caused the issue

No response

Anything else?

No response

[acockburn]

Hi there - the secrets mechanism is intended primarily as a way to facilitate passing around of config files without having them contain sensitive information of this nature.

By design, the APP parameters are visible in the dashboard, passing passwords as parameters is inherently insecure in any case and there are better approaches.

AppDaemon doesn't give you any specific help here but it has all of python available to you. If I wanted to solve this issue I would put the passwords in a file and read them from the app during initialize. If you wanted to lock that down further you could manually encrypt the passwords using something like passlib.