Merge pull request #240 from OneSignal/show_only_last_four_of_api_key

Only show the last 4 chars of the REST API key
OneSignal · Mar 31, 2020 · 9bddbfb · 9bddbfb
2 parents c2230af + eed578d
commit 9bddbfb
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 11 deletions.
diff --git a/onesignal-admin.php b/onesignal-admin.php
@@ -406,9 +406,6 @@ public static function save_config_page($config)
       'allowed_custom_post_types',
       'notification_title',
       'custom_manifest_url',
-      'http_permission_request_modal_title',
-      'http_permission_request_modal_message',
-      'http_permission_request_modal_button_text',
       'persist_notifications',
     );
         OneSignal_Admin::saveStringSettings($onesignal_wp_settings, $config, $stringSettings);
@@ -432,11 +429,16 @@ public static function saveBooleanSettings(&$onesignal_wp_settings, &$config, $s
     public static function saveStringSettings(&$onesignal_wp_settings, &$config, $settings)
     {
         foreach ($settings as $setting) {
-            if (array_key_exists($setting, $config)) {
-                $value = $config[$setting];
-                $value = sanitize_text_field($value);
-                $onesignal_wp_settings[$setting] = $value;
+            $value = sanitize_text_field($config[$setting]);
+
+            if ($setting === 'app_rest_api_key') {
+                // Only save key if the value has been changed.
+                // This prevents its masked value from becoming the value saved to the DB
+                if (OneSignal::maskedRestApiKey($onesignal_wp_settings[$setting]) === $value)
+                    continue;
             }
+
+            $onesignal_wp_settings[$setting] = $value;
         }
     }
 

diff --git a/onesignal-settings.php b/onesignal-settings.php
@@ -87,9 +87,6 @@ public static function get_onesignal_settings() {
                   'use_custom_sdk_init' => false,
                   'show_notification_send_status_message' => true,
                   'use_http_permission_request' => 'CALCULATE_SPECIAL_VALUE',
-                  'http_permission_request_modal_title' => '',
-                  'http_permission_request_modal_message' => '',
-                  'http_permission_request_modal_button_text' => '',
                   'persist_notifications' => 'CALCULATE_SPECIAL_VALUE'
                   );
 
@@ -264,4 +261,8 @@ public static function save_onesignal_settings($settings) {
     $onesignal_wp_settings = $settings;
     update_option("OneSignalWPSetting", $onesignal_wp_settings);
   }
+
+  public static function maskedRestApiKey($rest_api_key) {
+    return str_repeat('*', 44) . substr($rest_api_key, -4);
+  }
 }
diff --git a/views/config.php b/views/config.php
@@ -9,6 +9,7 @@
 
 // The user is just viewing the config page; this page cannot be accessed directly
 $onesignal_wp_settings = OneSignal::get_onesignal_settings();
+
 ?>
 
 <header class="onesignal">
@@ -289,7 +290,7 @@
           </div>
           <div class="field">
             <label>REST API Key<i class="tiny circular help icon link" role="popup" data-title="Rest API Key" data-content="Your 48 character alphanumeric REST API Key. You can find this in App Settings > Keys & IDs." data-variation="wide"></i></label>
-            <input type="text" name="app_rest_api_key" placeholder="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" value="<?php echo esc_attr($onesignal_wp_settings['app_rest_api_key']); ?>">
+            <input type="text" name="app_rest_api_key" placeholder="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" value="<?php echo esc_attr(OneSignal::maskedRestApiKey($onesignal_wp_settings['app_rest_api_key'])); ?>">
           </div>
           <div class="field subdomain-feature">
             <label>OneSignal Label<i class="tiny circular help icon link" role="popup" data-title="Subdomain" data-content="The label you chose for your site. You can find this in Step 2. Wordpress Site Setup" data-variation="wide"></i></label>