Description of the Change

At the moment, we grab all settings when rendering our settings page. This includes any Provider credentials that have previously been saved. This allows us to populate those credential fields with saved values so if any additional saves happen, we don't lose those credentials.

The issue here is that means these credentials are rendered in plain text, both in the API response that gets our settings and in the text inputs themselves. This isn't a huge deal as only administrators have access to these setting pages but it still isn't ideal.

This PR fixes that by adding in an CredentialObfuscator class that will take all the settings we have saved and will then obfuscate just the private credential fields (like API keys). This only happens when we get our settings to display, not when we get the settings to use in API requests. We then check that we don't have obfuscated credentials when saving and if we do, we ignore those credentials (so we don't save obfuscated credentials).

How to test the Change

1. Add credentials for one or more Providers and save those
2. Refresh the page and then inspect the source, ensuring the value of the text input is obfuscated
3. Can also refresh the page and inspect the network requests to ensure the response from our settings endpoint returns obfuscated credentials
4. Ensure that if you re-save a previously configured Provider that the obfuscated credentials aren't saved to the database and the Provider continues to work

Changelog Entry

Security - Add a CredentialObfuscator class that will obfuscate any private credentials before rendering those.

Credits

Props @dkotter

Checklist:

• I agree to follow this project's Code of Conduct.
• I have updated the documentation accordingly.
• I have added Critical Flows, Test Cases, and/or End-to-End Tests to cover my change.
• All new and existing tests pass.