v0.1.11 — fix: mask OAuth client secrets in getAuthConfig for non-admin roles
Release v0.1.11: OAuth Secret Masking for Non-Admin Roles
What changed
project.getAuthConfig now masks OAuth client secrets before returning them to users with viewer or editor roles. Previously, all authenticated users could see plaintext secrets for Google, GitHub, Microsoft, and Okta providers.
- Secrets masked as
XXXX••••••••for viewers and editors - Full plaintext values reserved for admins and owners
- New
secretsRevealedboolean in response for UI status indicators - Two new helper functions exported:
maskSecret()andmaskAuthConfigSecrets()
Why it matters
OAuth credentials are sensitive — they should only be accessible to team members who need to configure them. This fix enforces least privilege by default, preventing accidental or malicious credential exfiltration by lower-privileged team members.
Technical notes
Secrets ≤8 characters are fully obscured. Longer secrets show the first 4 characters followed by bullets. Null secrets remain null. Client IDs are never masked — they are not sensitive.
Release Notes
PR #418 was successfully squash-merged into main (commit sha: 4e9642e628c5433b31d333621d9aab2cfafd74c5). However, the GitHub release creation for tag v0.1.11 failed because the tag already exists in the repository — a prior release or tag with that name was already created. The merge itself is complete and the security fix is live on main. To publish the release, the existing v0.1.11 tag/release will need to be deleted first, or a new version number (e.g. v0.1.12) should be used instead.