OAuth Client Secret display implies secure storage

[markaltmann]

I have checked the following:

• [X] I use the newest version of bruno.
• [X] I've searched existing issues and found nothing related to my issue.

Describe the bug

When you configure OAuth and enter the client secret, a user can be tempted into thinking, that this secret is not stored, or even stored encrypted within Bruno. However, that is not the case, if you enter a real secret, then it is stored in cleartext in the collection.bru file, but only obfuscated by default in the UI.

This is what I would call a Dark Pattern: https://en.wikipedia.org/wiki/Dark_pattern

and the display in the collection.bru:

I use currently version 1.34.2

I would prefer one of the following solutions:

1. Don't obfuscate, so it's clear, that you save a confidential information in cleartext.
2. Even better, the default should be, that secrets, should not be stored in the collection or env, but only in session storage, if it is not a secret collection variable.

.bru file to reproduce the bug

you can use any .bru file, where you have configured a confidential OAuth2 Client and just entered the secret directly

Screenshots/Live demo link

and in the collection

[koliyo]

Not a bruno dev, and I agree this should not be handled like this. But calling in dark pattern assumes intentional deceit. I suspect this buno issue is mainly due to not having fully considered the design implications.

[markaltmann]

Hi @koliyo, true, I by all means have not implied any intentional wrongdoing or deceit. It's just incomplete UI/UX design that can be fixed. I will adapt the name.