Add v3.42.5

core/server/api/canary/settings.js

@@ -26,12 +26,14 @@ module.exports = {
                 }));
             }
 
-            // CASE: omit core settings unless internal request
             if (!frame.options.context.internal) {
+                // CASE: omit core settings unless internal request
                 settings = _.filter(settings, (setting) => {
                     const isCore = setting.group === 'core';
                     return !isCore;
                 });
+                // CASE: omit secret settings unless internal request
+                settings = settings.map(settingsService.hideValueIfSecret);
             }
 
             return settings;
@@ -70,6 +72,8 @@ module.exports = {
                 }));
             }
 
+            setting = settingsService.hideValueIfSecret(setting);
+
             return {
                 [frame.options.key]: setting
             };
@@ -217,16 +221,18 @@ module.exports = {
         async query(frame) {
             const stripeConnectIntegrationToken = frame.data.settings.find(setting => setting.key === 'stripe_connect_integration_token');
 
-            // The `stripe_connect_integration_token` "setting" is only used to set the `stripe_connect_*` settings.
             const settings = frame.data.settings.filter((setting) => {
+                // The `stripe_connect_integration_token` "setting" is only used to set the `stripe_connect_*` settings.
                 return ![
                     'stripe_connect_integration_token',
                     'stripe_connect_publishable_key',
                     'stripe_connect_secret_key',
                     'stripe_connect_livemode',
                     'stripe_connect_account_id',
                     'stripe_connect_display_name'
-                ].includes(setting.key);
+                ].includes(setting.key)
+                // Remove obfuscated settings
+                && !(setting.value === settingsService.obfuscatedSetting && settingsService.isSecretSetting(setting));
             });
 
             const getSetting = setting => settingsCache.get(setting.key, {resolve: false});

core/server/api/v2/settings.js

@@ -24,12 +24,14 @@ module.exports = {
                 }));
             }
 
-            // CASE: omit core settings unless internal request
             if (!frame.options.context.internal) {
+                // CASE: omit core settings unless internal request
                 settings = _.filter(settings, (setting) => {
                     const isCore = setting.group === 'core';
                     return !isCore;
                 });
+                // CASE: omit secret settings unless internal request
+                settings = settings.map(settingsService.hideValueIfSecret);
             }
 
             return settings;
@@ -68,6 +70,8 @@ module.exports = {
                 }));
             }
 
+            setting = settingsService.hideValueIfSecret(setting);
+
             return {
                 [frame.options.key]: setting
             };
@@ -108,7 +112,10 @@ module.exports = {
             }
 
             frame.data.settings = _.reject(frame.data.settings, (setting) => {
-                return setting.key === 'type';
+                return setting.key === 'type'
+                    // Remove obfuscated settings
+                    || (setting.value === settingsService.obfuscatedSetting
+                        && settingsService.isSecretSetting(setting));
             });
 
             const errors = [];

core/server/api/v3/settings.js

@@ -26,12 +26,14 @@ module.exports = {
                 }));
             }
 
-            // CASE: omit core settings unless internal request
             if (!frame.options.context.internal) {
+                // CASE: omit core settings unless internal request
                 settings = _.filter(settings, (setting) => {
                     const isCore = setting.group === 'core';
                     return !isCore;
                 });
+                // CASE: omit secret settings unless internal request
+                settings = settings.map(settingsService.hideValueIfSecret);
             }
 
             return settings;
@@ -70,6 +72,8 @@ module.exports = {
                 }));
             }
 
+            setting = settingsService.hideValueIfSecret(setting);
+
             return {
                 [frame.options.key]: setting
             };
@@ -217,16 +221,18 @@ module.exports = {
         async query(frame) {
             const stripeConnectIntegrationToken = frame.data.settings.find(setting => setting.key === 'stripe_connect_integration_token');
 
-            // The `stripe_connect_integration_token` "setting" is only used to set the `stripe_connect_*` settings.
             const settings = frame.data.settings.filter((setting) => {
+                // The `stripe_connect_integration_token` "setting" is only used to set the `stripe_connect_*` settings.
                 return ![
                     'stripe_connect_integration_token',
                     'stripe_connect_publishable_key',
                     'stripe_connect_secret_key',
                     'stripe_connect_livemode',
                     'stripe_connect_account_id',
                     'stripe_connect_display_name'
-                ].includes(setting.key);
+                ].includes(setting.key)
+                // Remove obfuscated settings
+                && !(setting.value === settingsService.obfuscatedSetting && settingsService.isSecretSetting(setting));
             });
 
             const getSetting = setting => settingsCache.get(setting.key, {resolve: false});

core/server/services/settings/index.js

@@ -5,6 +5,22 @@
 const models = require('../../models');
 const SettingsCache = require('./cache');
 
+// The string returned when a setting is set as write-only
+const obfuscatedSetting = '••••••••';
+
+// The function used to decide whether a setting is write-only
+function isSecretSetting(setting) {
+    return /secret/.test(setting.key);
+}
+
+// The function that obfuscates a write-only setting
+function hideValueIfSecret(setting) {
+    if (setting.value && isSecretSetting(setting)) {
+        return {...setting, value: obfuscatedSetting};
+    }
+    return setting;
+}
+
 module.exports = {
     async init() {
         const settingsCollection = await models.Settings.populateDefaults();
@@ -44,5 +60,9 @@ module.exports = {
                 value: currentRoutesHash
             }], {context: {internal: true}});
         }
-    }
+    },
+
+    obfuscatedSetting,
+    isSecretSetting,
+    hideValueIfSecret
 };

package.json

@@ -1,6 +1,6 @@
 {
   "name": "ghost",
-  "version": "3.42.4",
+  "version": "3.42.5",
   "description": "The professional publishing platform",
   "author": "Ghost Foundation",
   "homepage": "https://ghost.org",