how to hide password with ********* on swagger ui with flask_restplus in python

Question

Hi Below is my running code , can be accessed with below URL: http://127.0.0.1:5000/api/documentation

from flask import Flask, Blueprint
from flask_restplus import Api, Resource, fields

app = Flask(__name__)
blueprint = Blueprint('api', __name__, url_prefix='/api')
api = Api(blueprint, doc='/documentation') #,doc=False

app.register_blueprint(blueprint)

app.config['SWAGGER_UI_JSONEDITOR'] = True

login_details = api.model('LoginModel',{'user_name' : fields.String('The Username.'),'pass_word' : fields.String('The password.'),})
# pass_word = api.model('Pwd', {'pass_word' : fields.String('The password.')})
credentials = []
python = {'user_name' : '1234','pwd':'23213413'}
credentials.append(python)

@api.route('/login')
class Language(Resource):

    @api.marshal_with(login_details, envelope='the_data',mask='pass_word')
    def get(self):
        return credentials

    @api.expect(login_details)
    @api.marshal_with(login_details, envelope='the_data',mask='pass_word')
    def post(self):
        login_details = api.payload
        print(login_details)
        login_details['id'] = len(credentials) + 1

        credentials.append(login_details)
        return {'result' : 'credentials added'}, 201

if __name__ == '__main__':
    app.run(debug=True)

Can you please tell what should i do to to hide the password with ***** when i entering on the swagger UI , and value should be passed to the argument correctly.

I think you need to question the design since you need to type a password in swagger-ui, which is a development tool. By right, you type a password in a User Interface (which you build for purpose-fit). Swagger-ui is a development/testing tool. — Edward Aung, Mar 19 '19 at 03:47

score 5 · Answer 1 · edited Jun 20 '20 at 09:12

According to flask-restful documentation about Models, you can see at the beginning that the fields.Raw class can take a format parameter :

It can:

modify how the value of existing object keys should be presented

So you can use this format parameter with the value 'password', as documented in the Swagger documentation about data types under the "String" section :

An optional format modifier serves as a hint at the contents and format of the string. OpenAPI defines the following built-in string formats:

[...]

password – a hint to UIs to mask the input

So you COULD use this format='password' like so in your field definition:

pass_word = fields.String('The password.', format='password')

But the problem is that you are using the expect decorator, with standard Model definition, which does not allow you to easily customize your request parser. I would recommend to use Marshmallow to be able to have better control of your object serialization.

score 0 · Answer 2 · answered Mar 28 '23 at 17:02

For people in the future, prefer to use Flask_RestX (instead of discontinued flask_restplus), if the format=password wont work, you can use reqparse with password schema type:

Password = fields.String()
Password.__schema_format__ = "password"
parser.add_argument('pass', type=Password(), location='files')

score 0 · Answer 3 · answered May 03 '23 at 11:15

You can take, for example, the email object in flask-restx.inputs and create your own password object.

class password(object):
    def __call__(self, value):
        return value

    @property
    def __schema__(self):
        return {
            "type": "string",
            "format": "password",
        }

parser.add_argument(
    'password',
    type=password(),
    location='form',
)

how to hide password with ********* on swagger ui with flask_restplus in python

3 Answers3