Ignore redacted dashboard admin keys

Author: yelixir-dev

src/dashboard.ts

@@ -49,12 +49,14 @@ const initialConfig=${scriptJson(initialConfig)};
 let cfg=initialConfig, dirty=false;
 const $=id=>document.getElementById(id); const esc=v=>String(v??'').replace(/[&<>"']/g,ch=>({'&':'&amp;','<':'&lt;','>':'&gt;','"':'&quot;',"'":'&#39;'}[ch])); const toast=t=>{ $('toast').textContent=t; $('toast').classList.add('show'); setTimeout(()=>$('toast').classList.remove('show'),2500); };
 const expiredIds=new Set();
-function fullBridgeKey(){const raw=($('bridgeApiKey')?.value||'').trim(); if(!raw)return ''; return raw.startsWith('sk-')?raw:'sk-'+raw;}
-function displayBridgeKey(key){return key?.startsWith('sk-')?key.slice(3):(key||'')}
-function auth(){const key=cfg?.bridgeApiKey||localStorage.getItem('bridgeApiKey')||fullBridgeKey()||''; return key?{'authorization':'Bearer '+key,'content-type':'application/json'}:{'content-type':'application/json'}}
+function isRedactedSecret(value){const v=String(value||'').trim(); return !v||v==='[REDACTED]'||v==='sk-[REDACTED]'||v.includes('…')||v.includes('...');}
+function fullBridgeKey(){const raw=($('bridgeApiKey')?.value||'').trim(); if(!raw||isRedactedSecret(raw))return ''; return raw.startsWith('sk-')?raw:'sk-'+raw;}
+function displayBridgeKey(key){return isRedactedSecret(key)?'':(key?.startsWith('sk-')?key.slice(3):(key||''))}
+function authKey(value){return isRedactedSecret(value)?'':String(value||'').trim();}
+function auth(){const key=authKey(cfg?.bridgeApiKey)||authKey(localStorage.getItem('bridgeApiKey'))||fullBridgeKey()||''; return key?{'authorization':'Bearer '+key,'content-type':'application/json'}:{'content-type':'application/json'}}
 function duplicateCredentialMessage(e){const text=String(e?.message||e||''); return text.includes('duplicate_commandcode_api_key')||text.includes('Duplicate CommandCode API key')?'이미 등록된 키입니다. 다른 CommandCode API key를 입력해주세요.':null;}
 function preventDuplicateVisibleKey(input){const value=input.value.trim(); if(!value)return false; const dup=Array.from(document.querySelectorAll('[data-ckey]')).some(el=>el!==input&&el.value.trim()===value); if(!dup)return false; const i=+input.dataset.ckey; input.value=''; if(cfg?.credentials?.[i])cfg.credentials[i].apiKey=''; toast('이미 등록된 키입니다. 입력하지 않았습니다.'); return true;}
-function syncBridgeKey(){const el=$('bridgeApiKey'); if(!el)return; const configured=cfg?.bridgeApiKey||''; const stored=localStorage.getItem('bridgeApiKey')||''; const key=configured||stored; if(configured&&stored!==configured)localStorage.setItem('bridgeApiKey',configured); if(document.activeElement!==el) el.value=displayBridgeKey(key); const wrap=$('bridgeKeyWrap'); if(wrap) wrap.style.display=$('bindHost')?.value==='0.0.0.0'?'grid':'none';}
+function syncBridgeKey(){const el=$('bridgeApiKey'); if(!el)return; const configured=authKey(cfg?.bridgeApiKey); const stored=authKey(localStorage.getItem('bridgeApiKey')); const key=configured||stored; if(configured&&stored!==configured)localStorage.setItem('bridgeApiKey',configured); if(document.activeElement!==el) el.value=displayBridgeKey(key); const wrap=$('bridgeKeyWrap'); if(wrap) wrap.style.display=$('bindHost')?.value==='0.0.0.0'?'grid':'none';}
 function setDirty(v=true){dirty=v; $('dirtyText').textContent=v?'pending changes · restart required':'no pending changes'; updateRestart();}
 function updateRestart(){const online=$('online').textContent==='online'; $('restart').disabled=online&&!dirty; $('restart').classList.toggle('active',!$('restart').disabled)}
 async function fetchJson(path,opt={}){const init={...opt,cache:'no-store',headers:{...auth(),...(opt.headers||{})}}; try{const r=await fetch(path,init); if(!r.ok) throw new Error(await r.text()); return r.json();}catch(e){if(location.hostname&&!location.port){const r=await fetch('http://'+location.hostname+':9992'+path,init); if(!r.ok) throw new Error(await r.text()); return r.json();}throw e;}}

tests/dashboard-ui.test.ts

@@ -116,7 +116,22 @@ describe("dashboard UI", () => {
       bridgeApiKey: "test-admin-token",
     });
 
-    expect(html).toContain("cfg?.bridgeApiKey||localStorage.getItem('bridgeApiKey')");
+    expect(html).toContain("authKey(cfg?.bridgeApiKey)||authKey(localStorage.getItem('bridgeApiKey'))");
     expect(html).toContain("'authorization':'Bearer '+key");
   });
+
+  it("does not treat redacted admin API key values as usable write credentials", () => {
+    const html = dashboardHtml({
+      server: { host: "0.0.0.0", port: 9992 },
+      routing: { policy: "daily_burn_priority", maxInFlightPerCredential: 4 },
+      credentials: [],
+      models: [],
+      bridgeApiKey: "[REDACTED]",
+    });
+
+    expect(html).toContain("function isRedactedSecret");
+    expect(html).toContain("authKey(cfg?.bridgeApiKey)");
+    expect(html).toContain("const configured=authKey(cfg?.bridgeApiKey)");
+    expect(html).toContain("return isRedactedSecret(key)?''");
+  });
 });