Merge pull request #1047 from 10up/feature/obfuscate-credentials

peterwilsoncc · web-flow · commit 945ec01ea172 · 2026-02-11T10:27:33.000+11:00
Obfuscate credentials before rendering to the front-end
diff --git a/includes/Classifai/Admin/Settings.php b/includes/Classifai/Admin/Settings.php
@@ -7,6 +7,7 @@
 use Classifai\Services\ServicesManager;
 use Classifai\Taxonomy\TaxonomyFactory;
 use Classifai\Helpers\CredentialReuse;
+use Classifai\Providers\CredentialObfuscator;
 
 use function Classifai\get_asset_info;
 use function Classifai\get_plugin;
@@ -226,14 +227,18 @@ public function get_nlu_taxonomies(): array {
 	/**
 	 * Get the settings.
 	 *
-	 * @return array The settings.
+	 * Obfuscates sensitive credentials before returning to prevent
+	 * exposure of API keys in the frontend.
+	 *
+	 * @return array The settings with credentials obfuscated.
 	 */
 	public function get_settings(): array {
 		$features = $this->get_features( true );
 		$settings = [];
 
 		foreach ( $features as $feature ) {
-			$settings[ $feature::ID ] = $feature->get_settings();
+			$feature_settings         = $feature->get_settings();
+			$settings[ $feature::ID ] = CredentialObfuscator::obfuscate_feature_settings( $feature_settings );
 		}
 
 		return $settings;
@@ -472,6 +477,12 @@ public function update_settings_permissions_check(): bool {
 	public function get_registration_settings_callback(): \WP_REST_Response {
 		$service_manager = new ServicesManager();
 		$settings        = $service_manager->get_settings();
+
+		// Obfuscate the license key before returning.
+		if ( isset( $settings['license_key'] ) ) {
+			$settings['license_key'] = CredentialObfuscator::obfuscate( $settings['license_key'] );
+		}
+
 		return rest_ensure_response( $settings );
 	}
 
@@ -487,12 +498,19 @@ public function update_registration_settings_callback( \WP_REST_Request $request
 			require_once ABSPATH . 'wp-admin/includes/template.php';
 		}
 
-		$service_manager = new ServicesManager();
-		$settings        = $service_manager->get_settings();
-		$new_settings    = $service_manager->sanitize_settings( $request->get_json_params() );
+		$service_manager  = new ServicesManager();
+		$current_settings = $service_manager->get_settings();
+		$new_settings     = $request->get_json_params();
+
+		// If the license key is obfuscated, use the current value.
+		if ( isset( $new_settings['license_key'] ) && CredentialObfuscator::is_obfuscated( $new_settings['license_key'] ) ) {
+			$new_settings['license_key'] = $current_settings['license_key'] ?? '';
+		}
+
+		$new_settings = $service_manager->sanitize_settings( $new_settings );
 
 		// Update the settings with the new values.
-		$new_settings = array_merge( $settings, $new_settings );
+		$new_settings = array_merge( $current_settings, $new_settings );
 		update_option( 'classifai_settings', $new_settings );
 
 		$setting_errors = get_settings_errors();
diff --git a/includes/Classifai/Features/Feature.php b/includes/Classifai/Features/Feature.php
@@ -4,6 +4,7 @@
 
 use WP_REST_Request;
 use WP_Error;
+use Classifai\Providers\CredentialObfuscator;
 
 use function Classifai\find_provider_class;
 use function Classifai\should_use_legacy_settings_panel;
@@ -301,6 +302,13 @@ public function sanitize_settings( array $settings ): array {
 		// Sanitize the feature specific settings.
 		$new_settings = $this->sanitize_default_feature_settings( $new_settings );
 
+		// Preserve obfuscated credentials for all Providers.
+		// This ensures switching Providers doesn't save obfuscated values for inactive Providers.
+		$new_settings = CredentialObfuscator::merge_all_provider_credentials(
+			$new_settings,
+			$current_settings
+		);
+
 		// Sanitize the provider specific settings.
 		$provider_instance = $this->get_feature_provider_instance( $new_settings['provider'] );
 
diff --git a/includes/Classifai/Providers/CredentialObfuscator.php b/includes/Classifai/Providers/CredentialObfuscator.php
@@ -0,0 +1,251 @@
+<?php
+/**
+ * Helper class for credential obfuscation functionality.
+ *
+ * @package Classifai
+ */
+
+namespace Classifai\Providers;
+
+use Classifai\Providers\ProviderProfiles;
+
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
+
+/**
+ * CredentialObfuscator class.
+ *
+ * Handles obfuscation of sensitive credentials when displayed in the admin UI
+ * and preserves original values when obfuscated values are submitted.
+ *
+ * @since x.x.x
+ */
+class CredentialObfuscator {
+
+	/**
+	 * Number of characters to show at the beginning of obfuscated values.
+	 *
+	 * @var int
+	 */
+	const VISIBLE_PREFIX_LENGTH = 8;
+
+	/**
+	 * Minimum number of consecutive asterisks to detect an obfuscated value.
+	 *
+	 * @var int
+	 */
+	const MIN_ASTERISKS_TO_DETECT = 3;
+
+	/**
+	 * Obfuscate a credential value.
+	 *
+	 * Returns first N characters followed by asterisks.
+	 * Example: "sk-abc123xyz789" becomes "sk-abc************"
+	 *
+	 * @since x.x.x
+	 *
+	 * @param string $value The credential value to obfuscate.
+	 * @return string The obfuscated value, or original if too short.
+	 */
+	public static function obfuscate( string $value ): string {
+		if ( empty( $value ) ) {
+			return $value;
+		}
+
+		$length = strlen( $value );
+
+		// If the value is too short, just return asterisks.
+		if ( $length <= self::VISIBLE_PREFIX_LENGTH && $length <= self::MIN_ASTERISKS_TO_DETECT ) {
+			return str_repeat( '*', self::MIN_ASTERISKS_TO_DETECT );
+		} elseif ( $length <= self::VISIBLE_PREFIX_LENGTH ) {
+			return str_repeat( '*', $length );
+		}
+
+		$prefix    = substr( $value, 0, self::VISIBLE_PREFIX_LENGTH );
+		$asterisks = str_repeat( '*', $length - self::VISIBLE_PREFIX_LENGTH );
+
+		// If we don't have enough asterisks, add more.
+		if ( strlen( $asterisks ) < self::MIN_ASTERISKS_TO_DETECT ) {
+			$asterisks = str_repeat( '*', self::MIN_ASTERISKS_TO_DETECT );
+		}
+
+		return $prefix . $asterisks;
+	}
+
+	/**
+	 * Check if a value appears to be obfuscated.
+	 *
+	 * Detects values containing 3 or more consecutive asterisks.
+	 *
+	 * @since x.x.x
+	 *
+	 * @param string $value The value to check.
+	 * @return bool True if the value appears to be obfuscated.
+	 */
+	public static function is_obfuscated( string $value ): bool {
+		if ( empty( $value ) ) {
+			return false;
+		}
+
+		$pattern = '/\*{' . self::MIN_ASTERISKS_TO_DETECT . ',}/';
+		return (bool) preg_match( $pattern, $value );
+	}
+
+	/**
+	 * Check if a field should be obfuscated.
+	 *
+	 * Returns false for non-sensitive fields like authenticated, endpoint_url, etc.
+	 *
+	 * @since x.x.x
+	 *
+	 * @param string $field The field name to check.
+	 * @param string $profile_id The profile ID.
+	 * @return bool True if the field should be obfuscated.
+	 */
+	public static function should_obfuscate_field( string $field, string $profile_id ): bool {
+		$sensitive_fields = ProviderProfiles::get_sensitive_fields( $profile_id );
+		return in_array( $field, $sensitive_fields, true );
+	}
+
+	/**
+	 * Obfuscate credential fields for a specific Provider.
+	 *
+	 * Uses ProviderProfiles to determine which fields are credentials.
+	 *
+	 * @since x.x.x
+	 *
+	 * @param string $provider_id The Provider ID (e.g., 'openai_chatgpt').
+	 * @param array  $settings    The Provider settings array.
+	 * @return array The settings with credentials obfuscated.
+	 */
+	public static function obfuscate_provider_settings( string $provider_id, array $settings ): array {
+		$profile_id = ProviderProfiles::get_profile_for_provider( $provider_id );
+
+		if ( ! $profile_id ) {
+			return $settings;
+		}
+
+		$credential_fields = ProviderProfiles::get_credential_fields( $profile_id );
+
+		foreach ( $credential_fields as $field ) {
+			if (
+				isset( $settings[ $field ] ) &&
+				is_string( $settings[ $field ] ) &&
+				self::should_obfuscate_field( $field, $profile_id )
+			) {
+				$settings[ $field ] = self::obfuscate( $settings[ $field ] );
+			}
+		}
+
+		return $settings;
+	}
+
+	/**
+	 * Obfuscate all Provider credentials in Feature settings.
+	 *
+	 * Iterates through all Provider settings in the Feature and obfuscates
+	 * their credential fields.
+	 *
+	 * @since x.x.x
+	 *
+	 * @param array $settings The complete Feature settings array.
+	 * @return array The settings with all Provider credentials obfuscated.
+	 */
+	public static function obfuscate_feature_settings( array $settings ): array {
+		$profiles = ProviderProfiles::get_all_profiles();
+
+		// Get all Provider IDs from profiles.
+		$all_provider_ids = [];
+		foreach ( $profiles as $profile ) {
+			$all_provider_ids = array_merge( $all_provider_ids, $profile['provider_ids'] );
+		}
+
+		// Obfuscate credentials for each Provider that has settings.
+		foreach ( $settings as $key => $value ) {
+			if ( is_array( $value ) && in_array( $key, $all_provider_ids, true ) ) {
+				$settings[ $key ] = self::obfuscate_provider_settings( $key, $value );
+			}
+		}
+
+		return $settings;
+	}
+
+	/**
+	 * Merge new credentials with existing credentials, preserving originals when obfuscated.
+	 *
+	 * If a new value is obfuscated, use the existing value instead.
+	 * This prevents obfuscated placeholder values from being saved to the database.
+	 *
+	 * @since x.x.x
+	 *
+	 * @param array  $new_settings      The new settings being saved.
+	 * @param array  $existing_settings The current saved settings.
+	 * @param string $provider_id       The Provider ID.
+	 * @return array The merged settings.
+	 */
+	public static function merge_credentials( array $new_settings, array $existing_settings, string $provider_id ): array {
+		$profile_id = ProviderProfiles::get_profile_for_provider( $provider_id );
+
+		if ( ! $profile_id ) {
+			return $new_settings;
+		}
+
+		$credential_fields = ProviderProfiles::get_credential_fields( $profile_id );
+
+		foreach ( $credential_fields as $field ) {
+			// Skip non-sensitive fields.
+			if ( ! self::should_obfuscate_field( $field, $profile_id ) ) {
+				continue;
+			}
+
+			// If the new value is obfuscated, preserve the existing value.
+			if (
+				isset( $new_settings[ $field ] ) &&
+				is_string( $new_settings[ $field ] ) &&
+				self::is_obfuscated( $new_settings[ $field ] ) &&
+				isset( $existing_settings[ $field ] )
+			) {
+				$new_settings[ $field ] = $existing_settings[ $field ];
+			}
+		}
+
+		return $new_settings;
+	}
+
+	/**
+	 * Merge credentials for all Providers in Feature settings.
+	 *
+	 * Iterates through all Provider settings and preserves existing credentials
+	 * when obfuscated values are submitted. This ensures switching Providers
+	 * doesn't save obfuscated values for inactive Providers.
+	 *
+	 * @since x.x.x
+	 *
+	 * @param array $new_settings      The new Feature settings being saved.
+	 * @param array $existing_settings The current saved Feature settings.
+	 * @return array The settings with all Provider credentials properly merged.
+	 */
+	public static function merge_all_provider_credentials( array $new_settings, array $existing_settings ): array {
+		$profiles = ProviderProfiles::get_all_profiles();
+
+		// Get all Provider IDs from profiles.
+		$all_provider_ids = [];
+		foreach ( $profiles as $profile ) {
+			$all_provider_ids = array_merge( $all_provider_ids, $profile['provider_ids'] );
+		}
+
+		// Merge credentials for each Provider that has settings.
+		foreach ( $new_settings as $key => $value ) {
+			if ( is_array( $value ) && in_array( $key, $all_provider_ids, true ) ) {
+				$new_settings[ $key ] = self::merge_credentials(
+					$value,
+					$existing_settings[ $key ] ?? [],
+					$key
+				);
+			}
+		}
+
+		return $new_settings;
+	}
+}
diff --git a/includes/Classifai/Providers/ProviderProfiles.php b/includes/Classifai/Providers/ProviderProfiles.php
