We’re offering hosted Vaultwarden instances for customers as a service. Our instances come pre-configured with a couple of default settings to make it as easy as possible for users to get started initially. This includes SMTP configuration that uses our own mail servers. In addition, we’d like to enable customers to access the Vaultwarden admin UI of their instance. However, the admin UI reveals SMTP credentials in plaintext. Despite the fact that this feels a bit like a security anti-pattern in general, it effectively leaves us with the tradeoff between either withholding admin access from our users or requiring them to configure their own mail server.
I’d like to ask whether there is a chance to implement a change that (optionally?) prevents the admin UI from disclosing plaintext passwords of any kind, especially the SMTP password.
That isn’t where Vaultwarden is designed for. The admin interface should be used by the administrator of the instance with all functionality.
Adding a feature like that is out of scope from my perspective. It will only cause confusion if enabled. It also would mean a lot of changes to be done on the config code and admin for such a small feature in my opinion.
You can also allow smtp traffic from specific IP’s without using a username/password with some mail servers, that would prevent those users from seeing a password at all.
Even independent from our very specific use case it still feels a bit odd that you can display your password in clear text at any time after you had initially set them. I think with most other tools, it’s more common that password can only be set, but not retrieved, and even if there is the option for exporting the config for admins, passwords are often times blanked out.
But I totally get the point that there isn’t much of an actual, good reason that would justify implementing a rather big code change like this.
Would you accept a PR for this, though? Or is it something you wouldn’t want to be included at all?
I do agree upon the password and other secrets being prefilled is a bit odd nowadays. It might change it the future though, since i do find that a valid point. But that too needs large changes.