For secret env vars, don’t return the value

Author: matt-aitken

apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.$name.ts

@@ -132,6 +132,8 @@ export async function loader({ params, request }: LoaderFunctionArgs) {
   }
 
   return json({
+    name: environmentVariable.key,
     value: environmentVariable.value,
+    isSecret: environmentVariable.isSecret,
   });
 }

apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.ts

@@ -82,5 +82,11 @@ export async function loader({ params, request }: LoaderFunctionArgs) {
 
   const variables = await repository.getEnvironment(environment.project.id, environment.id);
 
-  return json(variables.map((variable) => ({ name: variable.key, value: variable.value })));
+  return json(
+    variables.map((variable) => ({
+      name: variable.key,
+      value: variable.value,
+      isSecret: variable.isSecret,
+    }))
+  );
 }

apps/webapp/app/v3/environmentVariables/environmentVariablesRepository.server.ts

@@ -15,6 +15,7 @@ import {
   DeleteEnvironmentVariable,
   DeleteEnvironmentVariableValue,
   EnvironmentVariable,
+  EnvironmentVariableWithSecret,
   ProjectEnvironmentVariable,
   Repository,
   Result,
@@ -509,7 +510,10 @@ export class EnvironmentVariablesRepository implements Repository {
     return results;
   }
 
-  async getEnvironment(projectId: string, environmentId: string): Promise<EnvironmentVariable[]> {
+  async getEnvironment(
+    projectId: string,
+    environmentId: string
+  ): Promise<EnvironmentVariableWithSecret[]> {
     const project = await this.prismaClient.project.findFirst({
       where: {
         id: projectId,
@@ -531,7 +535,36 @@ export class EnvironmentVariablesRepository implements Repository {
       return [];
     }
 
-    return this.getEnvironmentVariables(projectId, environmentId);
+    // Get the keys of all secret variables
+    const secretValues = await this.prismaClient.environmentVariableValue.findMany({
+      where: {
+        environmentId,
+        isSecret: true,
+      },
+      select: {
+        variable: {
+          select: {
+            key: true,
+          },
+        },
+      },
+    });
+    const secretVarKeys = secretValues.map((r) => r.variable.key);
+
+    const variables = await this.getEnvironmentVariables(projectId, environmentId);
+
+    // Filter out secret variables if includeSecrets is false
+    return variables.map((v) => {
+      if (secretVarKeys.includes(v.key)) {
+        return {
+          key: v.key,
+          value: "<redacted>",
+          isSecret: true,
+        };
+      }
+
+      return { key: v.key, value: v.value, isSecret: false };
+    });
   }
 
   async #getSecretEnvironmentVariables(

apps/webapp/app/v3/environmentVariables/repository.ts

@@ -79,12 +79,25 @@ export type EnvironmentVariable = {
   value: string;
 };
 
+export type EnvironmentVariableWithSecret = EnvironmentVariable & {
+  isSecret: boolean;
+};
+
 export interface Repository {
   create(projectId: string, options: CreateEnvironmentVariables): Promise<CreateResult>;
   edit(projectId: string, options: EditEnvironmentVariable): Promise<Result>;
   editValue(projectId: string, options: EditEnvironmentVariableValue): Promise<Result>;
   getProject(projectId: string): Promise<ProjectEnvironmentVariable[]>;
-  getEnvironment(projectId: string, environmentId: string): Promise<EnvironmentVariable[]>;
+  /**
+   * Get the environment variables for a given environment, it does NOT return values for secret variables
+   */
+  getEnvironment(
+    projectId: string,
+    environmentId: string
+  ): Promise<EnvironmentVariableWithSecret[]>;
+  /**
+   * Return all env vars, including secret variables with values. Should only be used for executing tasks.
+   */
   getEnvironmentVariables(projectId: string, environmentId: string): Promise<EnvironmentVariable[]>;
   delete(projectId: string, options: DeleteEnvironmentVariable): Promise<Result>;
   deleteValue(projectId: string, options: DeleteEnvironmentVariableValue): Promise<Result>;

packages/core/src/v3/apiClient/index.ts

@@ -17,6 +17,7 @@ import {
   DeletedScheduleObject,
   EnvironmentVariableResponseBody,
   EnvironmentVariableValue,
+  EnvironmentVariableWithSecret,
   EnvironmentVariables,
   ListQueueOptions,
   ListRunResponseItem,
@@ -549,7 +550,7 @@ export class ApiClient {
 
   listEnvVars(projectRef: string, slug: string, requestOptions?: ZodFetchOptions) {
     return zodfetch(
-      EnvironmentVariables,
+      z.array(EnvironmentVariableWithSecret),
       `${this.baseUrl}/api/v1/projects/${projectRef}/envvars/${slug}`,
       {
         method: "GET",
@@ -579,7 +580,7 @@ export class ApiClient {
 
   retrieveEnvVar(projectRef: string, slug: string, key: string, requestOptions?: ZodFetchOptions) {
     return zodfetch(
-      EnvironmentVariableValue,
+      EnvironmentVariableWithSecret,
       `${this.baseUrl}/api/v1/projects/${projectRef}/envvars/${slug}/${key}`,
       {
         method: "GET",

packages/core/src/v3/schemas/api.ts

@@ -806,11 +806,26 @@ export const EnvironmentVariable = z.object({
   name: z.string(),
   value: z.string(),
 });
-
 export const EnvironmentVariables = z.array(EnvironmentVariable);
 
 export type EnvironmentVariables = z.infer<typeof EnvironmentVariables>;
 
+export const EnvironmentVariableWithSecret = z.object({
+  /** The name of the env var, e.g. `DATABASE_URL` */
+  name: z.string(),
+  /** The value of the env var. If it's a secret, this will be a redacted value, not the real value.  */
+  value: z.string(),
+  /**
+   * Whether the env var is a secret or not.
+   * When you create env vars you can mark them as secrets.
+   *
+   * You can't view the value of a secret env var after setting it initially.
+   * For a secret env var, the value will be redacted.
+   */
+  isSecret: z.boolean(),
+});
+export type EnvironmentVariableWithSecret = z.infer<typeof EnvironmentVariableWithSecret>;
+
 export const UpdateMetadataRequestBody = FlushedRunMetadata;
 
 export type UpdateMetadataRequestBody = z.infer<typeof UpdateMetadataRequestBody>;

packages/trigger-sdk/src/v3/envvars.ts

@@ -4,6 +4,7 @@ import type {
   CreateEnvironmentVariableParams,
   EnvironmentVariableResponseBody,
   EnvironmentVariableValue,
+  EnvironmentVariableWithSecret,
   EnvironmentVariables,
   ImportEnvironmentVariablesParams,
   UpdateEnvironmentVariableParams,
@@ -84,13 +85,15 @@ export function list(
   projectRef: string,
   slug: string,
   requestOptions?: ApiRequestOptions
-): ApiPromise<EnvironmentVariables>;
-export function list(requestOptions?: ApiRequestOptions): ApiPromise<EnvironmentVariables>;
+): ApiPromise<EnvironmentVariableWithSecret[]>;
+export function list(
+  requestOptions?: ApiRequestOptions
+): ApiPromise<EnvironmentVariableWithSecret[]>;
 export function list(
   projectRefOrRequestOptions?: string | ApiRequestOptions,
   slug?: string,
   requestOptions?: ApiRequestOptions
-): ApiPromise<EnvironmentVariables> {
+): ApiPromise<EnvironmentVariableWithSecret[]> {
   const $projectRef = !isRequestOptions(projectRefOrRequestOptions)
     ? projectRefOrRequestOptions
     : taskContext.ctx?.project.ref;
@@ -188,17 +191,17 @@ export function retrieve(
   slug: string,
   name: string,
   requestOptions?: ApiRequestOptions
-): ApiPromise<EnvironmentVariableValue>;
+): ApiPromise<EnvironmentVariableWithSecret>;
 export function retrieve(
   name: string,
   requestOptions?: ApiRequestOptions
-): ApiPromise<EnvironmentVariableValue>;
+): ApiPromise<EnvironmentVariableWithSecret>;
 export function retrieve(
   projectRefOrName: string,
   slugOrRequestOptions?: string | ApiRequestOptions,
   name?: string,
   requestOptions?: ApiRequestOptions
-): ApiPromise<EnvironmentVariableValue> {
+): ApiPromise<EnvironmentVariableWithSecret> {
   let $projectRef: string;
   let $slug: string;
   let $name: string;