From 7281c9b7c83916b810584db0f0a65b64b26bcf0d Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 24 Apr 2026 21:49:26 +0000
Subject: [PATCH] mask deSEC password behind details reveal; add hex length
 comment

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/4e99bcbc-4f32-45e6-af08-5026ce4b1f45

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
---
 php/src/Controller/DesecController.php | 1 +
 php/templates/containers.twig          | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/php/src/Controller/DesecController.php b/php/src/Controller/DesecController.php
index 5768f25c..e08d0d4a 100644
--- a/php/src/Controller/DesecController.php
+++ b/php/src/Controller/DesecController.php
@@ -64,6 +64,7 @@ readonly class DesecController {
             if (!$accountAlreadyRegistered) {
                 // Register an account at deSEC and obtain an API token.
                 // The password is stored so the user can log in to desec.io directly if needed.
+                // 24 random bytes encoded as hex produce a 48-character password.
                 $password = bin2hex(random_bytes(24));
                 $token = $this->registerDesecAccount($email, $password);
 
diff --git a/php/templates/containers.twig b/php/templates/containers.twig
index a6808bda..201b1dda 100644
--- a/php/templates/containers.twig
+++ b/php/templates/containers.twig
@@ -137,7 +137,7 @@
                                     <p><a target="_blank" href="https://desec.io">deSEC</a> offers free dynamic DNS subdomains under <strong>dedyn.io</strong>. AIO can register an account and a subdomain for you automatically. The <strong>caddy</strong> community container will be enabled as a reverse proxy, the <strong>dnsmasq</strong> container will be enabled for local DNS resolution, and the mastercontainer will keep your DNS record up to date automatically.</p>
                                     {% if desec_account_registered %}
                                         <p>Your deSEC account (<strong>{{ desec_email }}</strong>) was registered successfully but the domain could not be registered. Please enter a desired subdomain slug (the part before <code>.dedyn.io</code>) and try again, or leave it blank for a random one.</p>
-                                        <p>Your deSEC login credentials (for <a target="_blank" href="https://desec.io">desec.io</a>): Email: <strong>{{ desec_email }}</strong>, Password: <strong>{{ desec_password }}</strong>. Please save these in a safe place.</p>
+                                        <p>Your deSEC login credentials (for <a target="_blank" href="https://desec.io">desec.io</a>): Email: <strong>{{ desec_email }}</strong>. <details style="display:inline"><summary>Reveal deSEC password</summary><strong>{{ desec_password }}</strong></details>. Please save these in a safe place.</p>
                                         <form method="POST" action="api/desec/register" class="xhr">
                                             <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                             <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
@@ -403,7 +403,7 @@
                             <h2>deSEC account credentials</h2>
                             <p>Your domain <strong>{{ domain }}</strong> is managed via <a target="_blank" href="https://desec.io">deSEC</a>. Below are your deSEC account credentials. You can use them to log in at <a target="_blank" href="https://desec.io">desec.io</a> to manage your domain directly.</p>
                             <p>Email: <strong>{{ desec_email }}</strong></p>
-                            <p>Password: <strong>{{ desec_password }}</strong></p>
+                            <p>Password: <details style="display:inline"><summary>Reveal deSEC password</summary><strong>{{ desec_password }}</strong></details></p>
                             <p>Please save these credentials in a safe place.</p>
                         {% endif %}