github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-05 18:38:17 -05:00
Code Issues 1.1k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #20852] feat: Support Password Masking in UserValves #34842

New Issue
Closed
opened 2026-04-25 09:01:36 -05:00 by GiteaMirror · 1 comment
GiteaMirror commented 2026-04-25 09:01:36 -05:00
Owner
Copy Link

Originally created by @EliasBA on GitHub (Jan 21, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/20852

Check Existing Issues

  • I have searched for all existing open AND closed issues and discussions for similar requests. I have found none that is comparable to my request.

Verify Feature Scope

  • I have read through and understood the scope definition for feature requests in the Issues section. I believe my feature request meets the definition and belongs in the Issues section instead of the Discussions.

Problem Description

When creating Tools or Functions with UserValves that contain sensitive fields like passwords, the password is displayed as plain text in the OpenWebUI settings UI.

This is a security concern because:

  • Passwords are visible on screen (shoulder surfing risk)
  • Passwords may be visible in screenshots
  • Users expect password fields to be masked in settings forms

Current Behavior:
The standard JSON Schema format: "password" attribute is not recognized by the Valves.svelte component.

class UserValves(BaseModel):
    exchange_password: str = Field(
        default="",
        description="Your Exchange/AD password",
        json_schema_extra={"format": "password"}  # <-- Currently IGNORED by the UI
    )

Desired Solution you'd like

Support the standard JSON Schema format: "password" attribute in Valves.svelte to render sensitive fields as password inputs (masked with dots).

OpenWebUI already has a SensitiveInput.svelte component. I propose modifying src/lib/components/common/Valves.svelte to use this existing component when the format is detected.

Implementation Logic:
Inside the valves rendering loop:

  1. Check if valvesSpec.properties[property]?.format === 'password'
  2. If true, render <SensitiveInput ... /> instead of the default <input type="text"> or <textarea>.

Alternatives Considered

  • Using "api_key" naming convention: We considered naming fields api_key to hope for auto-detection, but this is semantically incorrect for actual user passwords (e.g., database or service passwords).
  • Custom HTML in Description: Not supported/sanitized.
  • Doing nothing: Leaves credentials exposed in the UI.

Additional Context

Implementation Suggestion:
In src/lib/components/common/Valves.svelte, add this condition to the main rendering loop:

{:else if valvesSpec.properties[property]?.format === 'password'}
    <SensitiveInput
        placeholder={valvesSpec.properties[property]?.description ?? ''}
        bind:value={valves[property]}
    />

Benefits:

  • Security: Passwords hidden from view by default.
  • Standard: Uses standard Pydantic/JSON Schema format: "password".
  • Easy: Low-effort change leveraging the existing content.

For Tool Developers:
They can simply add json_schema_extra={"format": "password"} to their Pydantic models.

Originally created by @EliasBA on GitHub (Jan 21, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/20852 ### Check Existing Issues - [x] I have searched for all existing **open AND closed** issues and discussions for similar requests. I have found none that is comparable to my request. ### Verify Feature Scope - [x] I have read through and understood the scope definition for feature requests in the Issues section. I believe my feature request meets the definition and belongs in the Issues section instead of the Discussions. ### Problem Description When creating Tools or Functions with `UserValves` that contain sensitive fields like passwords, the password is displayed as **plain text** in the OpenWebUI settings UI. This is a security concern because: - Passwords are visible on screen (shoulder surfing risk) - Passwords may be visible in screenshots - Users expect password fields to be masked in settings forms **Current Behavior:** The standard JSON Schema `format: "password"` attribute is **not recognized** by the `Valves.svelte` component. ```python class UserValves(BaseModel): exchange_password: str = Field( default="", description="Your Exchange/AD password", json_schema_extra={"format": "password"} # <-- Currently IGNORED by the UI ) ``` ### Desired Solution you'd like Support the standard JSON Schema `format: "password"` attribute in `Valves.svelte` to render sensitive fields as password inputs (masked with dots). OpenWebUI already has a `SensitiveInput.svelte` component. I propose modifying `src/lib/components/common/Valves.svelte` to use this existing component when the format is detected. **Implementation Logic:** Inside the valves rendering loop: 1. Check if `valvesSpec.properties[property]?.format === 'password'` 2. If true, render `<SensitiveInput ... />` instead of the default `<input type="text">` or `<textarea>`. ### Alternatives Considered - **Using "api_key" naming convention:** We considered naming fields `api_key` to hope for auto-detection, but this is semantically incorrect for actual user passwords (e.g., database or service passwords). - **Custom HTML in Description:** Not supported/sanitized. - **Doing nothing:** Leaves credentials exposed in the UI. ### Additional Context **Implementation Suggestion:** In `src/lib/components/common/Valves.svelte`, add this condition to the main rendering loop: ```svelte {:else if valvesSpec.properties[property]?.format === 'password'} <SensitiveInput placeholder={valvesSpec.properties[property]?.description ?? ''} bind:value={valves[property]} /> ``` **Benefits:** - ✅ **Security:** Passwords hidden from view by default. - ✅ **Standard:** Uses standard Pydantic/JSON Schema `format: "password"`. - ✅ **Easy:** Low-effort change leveraging the existing content. **For Tool Developers:** They can simply add `json_schema_extra={"format": "password"}` to their Pydantic models.
GiteaMirror commented 2026-04-25 09:01:39 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Jan 21, 2026):

Addressed with 8c70453b2e in dev!

<!-- gh-comment-id:3781578698 --> @tjbck commented on GitHub (Jan 21, 2026): Addressed with 8c70453b2e3a6958437d951751e84acbbaafd9aa in dev!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#34842
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?