feat(wren-ui): Mask OIDC web identity token field

[douenergy]

Description

Use <Input.Password /> to mask the token, matching the behavior of the AWS Secret Key field and preventing accidental exposure when pasting tokens.

Summary by CodeRabbit

• New Features

  • Added Athena data source authentication in setup, including handling for web identity tokens.

• Bug Fixes

  • Replaced multi-line token input with a secure single-line password field and disabled autocomplete.
  • Treat web identity tokens as sensitive so they are omitted from non-sensitive outputs.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds Athena OIDC handling: changes the web identity token input from a multi-line TextArea to a single-line Password input (autoComplete off) in the UI, marks webIdentityToken as sensitive on the server, and integrates Athena authentication transformation in the setup hook.

Changes

Cohort / File(s)	Change Summary
Athena OIDC UI wren-ui/src/components/pages/setup/dataSources/AthenaProperties.tsx	Replaced Input.TextArea (rows=3) with Input.Password for the web identity token field and added autoComplete="off"; placeholder and Form.Item validation unchanged.
Server: sensitive properties wren-ui/src/apollo/server/services/projectService.ts	Added webIdentityToken to the SENSITIVE_PROPERTY_NAME set so it is treated as a sensitive property by connection reducers/serializers.
Setup hook: Athena auth wren-ui/src/hooks/useSetupConnectionDataSource.tsx	Added getAthenaAuthentication and integrated Athena handling into transformFormToProperties; returns webIdentityToken unless it equals the password placeholder (preserves existing placeholder behavior).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20–30 minutes

• Pay attention to UI masking/clipboard/autofill effects for the new password field.
• Verify server-side sensitive set change doesn't affect serialization/migrations/tests.
• Check transformFormToProperties addition follows existing auth patterns and placeholder handling.

Possibly related PRs

• feat(wren-ui): Athena OIDC auth #2047 — Directly related: Athena OIDC/webIdentityToken handling and UI changes.
• feat(wren-ui): add awsSecretKey to sensitive properties for redshift #1769 — Similar pattern: added a data-source secret to SENSITIVE_PROPERTY_NAME and updated transform logic.
• feat(wren-ui): Support Athena connector #1754 — Related Athena connector work touching the same UI and credential handling.

Suggested reviewers

• andreashimin
• fredalai

Poem

🐰 A small field shrank to keep secrets tight,
Hidden characters dancing out of sight,
Token tucked safely, masked with care,
A rabbit hops by — secure and fair. ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: masking the OIDC web identity token field by converting from TextArea to Password input type.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch oidc-mask

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

wren-ui/src/components/pages/setup/dataSources/AthenaProperties.tsx (1)

60-63: LGTM! Security improvement aligns with existing patterns.

The change from Input.TextArea to Input.Password appropriately masks the web identity token, matching the existing pattern for the AWS Secret Key field (line 38). This prevents accidental exposure when pasting or displaying tokens.

Optional: Consider more specific autoComplete value.

For better browser compliance, consider using autoComplete="one-time-code" instead of "off", as browsers often ignore "off" for password fields:

         <Input.Password
           placeholder="OAuth 2.0 access token or OpenID Connect ID token"
-          autoComplete="off"
+          autoComplete="one-time-code"
         />

This hint better communicates to browsers that this field shouldn't be saved or auto-filled.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5c79646 and 8a608fd.

📒 Files selected for processing (1)

• wren-ui/src/components/pages/setup/dataSources/AthenaProperties.tsx (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (go)

[fredalai]

LGTM

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

wren-ui/src/hooks/useSetupConnectionDataSource.tsx (1)

197-213: Consider adding ATHENA-specific handling in transformPropertiesToForm for consistency.

The getAthenaAuthentication function correctly handles placeholder filtering and follows the established pattern (as suggested in past review). However, there's no corresponding ATHENA case in transformPropertiesToForm (lines 111-160) to add PASSWORD_PLACEHOLDER for webIdentityToken when loading existing connections.

This means when editing an existing Athena connection that uses webIdentityToken:

• The UI won't display a placeholder (unlike REDSHIFT's awsSecretKey at lines 129-139 or DATABRICKS's sensitive fields at lines 140-151)
• Users must re-enter the token every time, even when not changing it

Add ATHENA handling to transformPropertiesToForm:

} else if (dataSourceType === DataSourceName.ATHENA) {
  return {
    ...properties,
    webIdentityToken: properties?.webIdentityToken || PASSWORD_PLACEHOLDER,
    awsSecretKey: properties?.awsSecretKey || PASSWORD_PLACEHOLDER,
  };

This would align with how REDSHIFT and DATABRICKS handle their sensitive authentication fields.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e0cdabe and 2486f85.

📒 Files selected for processing (1)

• wren-ui/src/hooks/useSetupConnectionDataSource.tsx (2 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-04-28T20:09:06.106Z

Learnt from: narsik123
Repo: Canner/WrenAI PR: 1606
File: wren-ui/src/apollo/server/dataSource.ts:135-150
Timestamp: 2025-04-28T20:09:06.106Z
Learning: The Oracle data source in WrenAI includes an SSL toggle in the UI (OracleProperties component) and should pass this setting to the connection info using the pattern `...(ssl && { kwargs: { ssl: true } })` for consistency with other host-based connections like MS SQL.

Applied to files:

• wren-ui/src/hooks/useSetupConnectionDataSource.tsx

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (go)

🔇 Additional comments (1)

wren-ui/src/hooks/useSetupConnectionDataSource.tsx (1)

88-92: LGTM! Consistent integration with existing patterns.

The ATHENA data source branch follows the same authentication handling pattern as SNOWFLAKE and DATABRICKS, maintaining consistency across the codebase.