I just realized that the WFS provider automatically expanded authentication configuration with basic authentication to username & password in the URI, which can then leak in a project file. This is fundamentally due to QgsDataSourceUri::uri() (same issue with connectionInfo()) having a default bool expandAuthConfig = true parameter. For a security related functionality depending on such implicit behaviour is rather dangerous.
A few possibilities I can see:
Change default value to false
Remove this parameter and make the behaviour be equivalent to expandAuthConfig = false, and add, if needed, uriExpandAuthConfig() and connectionExpandAuthConfig()
Remove this parameter and make the behaviour be equivalent to expandAuthConfig = false, and add, if needed, uriExpandAuthConfig() and connectionExpandAuthConfig()
I just realized that the WFS provider automatically expanded authentication configuration with basic authentication to username & password in the URI, which can then leak in a project file. This is fundamentally due to QgsDataSourceUri::uri() (same issue with connectionInfo()) having a default bool expandAuthConfig = true parameter. For a security related functionality depending on such implicit behaviour is rather dangerous. A few possibilities I can see: