[Bug] Active Directory Admin Bind Credentials exposed

[harvthe2]

Would prefer/expect the Admin Bind Credentials, which is the password for the service account we are using to authenticate to AD, would be ****'d out.

Thanks
-Harv

[mg1986jp]

Yeah, that's not ideal. The admin bind password should definitely be masked in the UI. This looks like a bug in the wiki.js administration panel — the password field for the LDAP/AD strategy is being rendered as a regular text input instead of a password input.

If you're concerned about exposure in the meantime, the password is stored in the database (in the authentication table), not in a config file, so access to it is limited to whoever can see that admin page or query the DB directly.

You should probably report this as a bug on the wiki.js GitHub issues rather than here in discussions — it's a straightforward UI fix (changing the input type to password) and would likely get picked up.