The values for
discourse subscriptions secret key and
discourse_subscriptions_webhook_secret are not being masked out in the plugin settings, they are visible there and are also visible in the staff action logs.
It’s probably better to hide them…
Are you sure Richard?:
client: false suggests they are not serialised unless you are admin and in admin route? (Otherwise you couldn’t set them)
This is not about
client: true but about
secret: true which masks the value (which can be toggled with the icon) and which removes the value from the staff action logs. This is the case for all other secrets and passwords in settings (like the secrets for Twitter, Facebook, Google oAuth2, Discord, Github, SSO client and provider etc etc)
As you can see
secret: true is not present there.
Ah, sorry, and now I see why you put this in #ux