You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CONTRIBUTING.md
+27Lines changed: 27 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -116,6 +116,33 @@ Flowise has 3 different modules in a single mono repository.
116
116
117
117
11. Commit code and submit Pull Request from forked branch pointing to [Flowise main](https://github.com/FlowiseAI/Flowise/tree/main).
118
118
119
+
### Adding or modifying credential definitions
120
+
121
+
Credential definitions live in`packages/components/credentials/`. Each input field has a `type` that controls both UI rendering and how the value is handled on the server.
122
+
123
+
**Security rule: any field that contains a secret must use `type: 'url'` or `type: 'password'` — never `type: 'string'`.**
124
+
125
+
The server redacts both `url` and `password` fields before returning credential data to the client. Fields typed `string` are returned in plaintext, which exposes stored secrets to any authenticated user with `credentials:view` permission.
126
+
127
+
Use `type: 'url'`for connection strings with embedded credentials:
128
+
129
+
- Connection URLs that embed a username/password (e.g. `mongodb+srv://user:pass@host/db`, `redis://:pass@host`, `postgresql://user:pass@host/db`)
130
+
- Displayed with the password portion masked (e.g. `mongodb+srv://user:••••••@host/db`); users with edit permission can reveal the full URL
131
+
132
+
Use `type: 'password'`for opaque secrets with no meaningful preview:
133
+
134
+
- API keys, access keys, secret keys, tokens
135
+
- JSON blobs containing private keys or certificates (e.g. Google service account JSON)
136
+
- Fully redacted in the UI; users must replace the entire value to update them
137
+
138
+
Fields that are safe as `type: 'string'`:
139
+
140
+
- Usernames / account names (when the password is a separate field)
141
+
- Region, host, port, database name, project ID
142
+
- Non-secret identifiers and configuration values
143
+
144
+
If in doubt, use `type: 'password'`. The only cost is that the field must be re-entered on edit; the cost of using `type: 'string'`for a secret is that it is exposed via the API.
145
+
119
146
### Testing
120
147
121
148
- Unit tests are **co-located** with their source files — a testfor`Foo.ts` livesin`Foo.test.ts`in the same directory. This is the standard used across all packages in this repo.
0 commit comments