Foreign Server User Mapping password visible

[naxels]

Please note that security bugs or issues should be reported to security@pgadmin.org.

Describe the bug

When you have a "Foreign Data Wrappers" listed in pgAdmin and edit the User Mappings for a user, the password is listed in clear text. In my opinion this is a bug since passwords are hidden in other places.

To Reproduce

Steps to reproduce the behavior:

1. Go to a database with "Foreign Data Wrappers" that have User Mappings (like a postgres_fdw)
2. Navigate all the way down to the User Mappings and select a user
3. Now in Properties click Edit and go to Options page, there you see user & password listed in clear text.

Expected behavior

I expected the password to be listed as **** or something else, that hides the password from prying colleague eyes. Maybe show an option to display the password in plain text? I do agree that it shouldn't be hidden like a Login/Group Roles password as you want the indication that it actually exists.

Error message

None

Screenshots

(See above)

Desktop (please complete the following information):

• OS: macOS Ventura 13.4.x
• Version: 7.4
• Mode: Desktop
• Package type: download from website

Additional context

Feel free to solve this in any other way than I suggest above.

[dpage]

I agree, but... the problem is that those parameters are defined by the FDW, and there is no standard. Whilst we could mask the password if the parameter name is "password", it could just as easily be "passwd" or "secret" or "private_key" or anything really.

Masking the value for a parameter called "password" would be better than nothing, but there's no guarantee other secret values wouldn't be displayed.

[naxels]

Aah, I didn't know that, just thought it would be standardized for User Mapping.

I guess there is no fdw setting/param pgadmin could query to indicate what is the account/secret/password?

[dpage]

Unfortunately not.