yuseok89 opened a new issue, #60370:
URL: https://github.com/apache/airflow/issues/60370
### Apache Airflow version
3.1.5
### If "Other Airflow 3 version" selected, which one?
_No response_
### What happened?
When adding connections (tested with Slack API, but applies to all
connection types), I noticed that sensitive fields (fields whose names are in
`DEFAULT_SENSITIVE_FIELDS`) in the `extra_fields` are being masked correctly,
but they are incorrectly marked as **required** in the UI, even though the
documentation states that extra fields are optional.
**This issue affects all connection types**, not just Slack API. Any
connection type that has extra fields with names matching
`DEFAULT_SENSITIVE_FIELDS` (e.g., `proxy`, `password`, `token`, `secret`,
`api_key`, `access_token`, `authorization`, `passphrase`, `passwd`,
`private_key`, `proxies`, `keyfile_dict`, `service_account`) will show the same
behavior.
**Example behavior:**
- Fields like `proxy` in Slack API connection are:
- Correctly masked (showing `***`)
- Incorrectly marked as **required** (showing "This field is required")
### Screenshots
#### Add Connection Form (Slack API)
<img width="801" height="654" alt="Image"
src="https://github.com/user-attachments/assets/8a2a7e73-4299-4c12-9404-1b8dcecdd34e";
/>
#### Airflow Documentation
<img width="667" height="566" alt="Image"
src="https://github.com/user-attachments/assets/bb6ddaaa-4d1b-4518-88fd-b7781df0fee6";
/>
### What you think should happen instead?
_No response_
### How to reproduce
1. Navigate to Connections → Add a new connection
2. Select any connection type that has extra fields with sensitive field
names (e.g., **Slack API** with `proxy` field)
3. Observe the extra fields section
4. Notice that any field whose name is in `DEFAULT_SENSITIVE_FIELDS` is:
- Correctly masked (showing `***`)
- **Incorrectly marked as required** (showing "This field is required")
**Tested with:**
- Slack API connection (has `proxy` field in `DEFAULT_SENSITIVE_FIELDS`)
- Other connection types with sensitive extra fields will exhibit the same
behavior
**Possible Root Cause:**
The issue appears to be in the `redact_extra_fields` validator in
`ConnectionHookMetaData` class
(`airflow-core/src/airflow/api_fastapi/core_api/datamodels/connections.py`).
Currently, `redact_extra_fields` uses `redact(v)` which seems to call
`_redact_all()` when a field name is in `DEFAULT_SENSITIVE_FIELDS`. This might
be masking the **entire value**, potentially including the `schema.type` field
in param spec structures.
The frontend appears to use `schema.type` to determine if a field is
required (see `isParamRequired` in
`airflow-core/src/airflow/ui/src/components/FlexibleForm/isParamRequired.tsx`):
- If `schema.type` includes `"null"`, the field is optional
- If `schema.type` is masked to something like `["***", "***"]`, the
frontend might not be able to determine that it should be optional
**Potential Solution:**
One possible approach would be to:
1. For param spec structures (those with a `"schema"` key), preserve
`schema.type` to maintain the optional/required status
2. Mask only `title`, `description`, and `value` fields for sensitive fields
### Operating System
macOS 14.4
### Versions of Apache Airflow Providers
_No response_
### Deployment
Other Docker-based deployment
### Deployment details
_No response_
### Anything else?
_No response_
### Are you willing to submit PR?
- [x] Yes I am willing to submit a PR!
### Code of Conduct
- [x] I agree to follow this project's [Code of
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
