[core] Mark canonical sensitive fields with cv.sensitive (#16677)

2026-06-24 12:53:26 +00:00 · 2026-05-26 19:16:47 -05:00
parent a6ef67aa65
commit 91ead4ff54
6 changed files with 10 additions and 10 deletions
--- a/esphome/components/api/init.py
+++ b/esphome/components/api/init.py
@@ -234,7 +234,7 @@ ACTIONS_SCHEMA = automation.validate_automation(

 ENCRYPTION_SCHEMA = cv.Schema(
    {
-        cv.Optional(CONF_KEY): validate_encryption_key,
+        cv.Optional(CONF_KEY): cv.sensitive(validate_encryption_key),
    }
 )

--- a/esphome/components/esphome/ota/init.py
+++ b/esphome/components/esphome/ota/init.py
@@ -133,7 +133,7 @@ CONFIG_SCHEMA = cv.All(
                host=8082,
            ): cv.port,
            cv.Optional(CONF_ALLOW_PARTITION_ACCESS, default=False): cv.boolean,
-            cv.Optional(CONF_PASSWORD): cv.string,
+            cv.Optional(CONF_PASSWORD): cv.sensitive(),
            cv.Optional(CONF_NUM_ATTEMPTS): cv.invalid(
                f"'{CONF_SAFE_MODE}' (and its related configuration variables) has moved from 'ota' to its own component. See https://esphome.io/components/safe_mode"
            ),
--- a/esphome/components/http_request/ota/init.py
+++ b/esphome/components/http_request/ota/init.py
@@ -57,7 +57,7 @@ OTA_HTTP_REQUEST_FLASH_ACTION_SCHEMA = cv.All(
            cv.Optional(CONF_MD5): cv.templatable(
                cv.All(cv.string, cv.Length(min=32, max=32))
            ),
-            cv.Optional(CONF_PASSWORD): cv.templatable(cv.string),
+            cv.Optional(CONF_PASSWORD): cv.sensitive(cv.templatable(cv.string)),
            cv.Optional(CONF_USERNAME): cv.templatable(cv.string),
            cv.Required(CONF_URL): cv.templatable(cv.url),
        }
--- a/esphome/components/mqtt/init.py
+++ b/esphome/components/mqtt/init.py
@@ -232,7 +232,7 @@ CONFIG_SCHEMA = cv.All(
            cv.Optional(CONF_ENABLE_ON_BOOT, default=True): cv.boolean,
            cv.Optional(CONF_PORT, default=1883): cv.port,
            cv.Optional(CONF_USERNAME, default=""): cv.string,
-            cv.Optional(CONF_PASSWORD, default=""): cv.string,
+            cv.Optional(CONF_PASSWORD, default=""): cv.sensitive(),
            cv.Optional(CONF_CLEAN_SESSION, default=False): cv.boolean,
            cv.Optional(CONF_CLIENT_ID): cv.string,
            cv.SplitDefault(CONF_IDF_SEND_ASYNC, esp32=False): cv.All(
--- a/esphome/components/web_server/init.py
+++ b/esphome/components/web_server/init.py
@@ -193,8 +193,8 @@ CONFIG_SCHEMA = cv.All(
                    cv.Required(CONF_USERNAME): cv.All(
                        cv.string_strict, cv.Length(min=1)
                    ),
-                    cv.Required(CONF_PASSWORD): cv.All(
-                        cv.string_strict, cv.Length(min=1)
+                    cv.Required(CONF_PASSWORD): cv.sensitive(
+                        cv.All(cv.string_strict, cv.Length(min=1))
                    ),
                }
            ),
--- a/esphome/components/wifi/init.py
+++ b/esphome/components/wifi/init.py
@@ -251,7 +251,7 @@ EAP_AUTH_SCHEMA = cv.All(
        {
            cv.Optional(CONF_IDENTITY): cv.string_strict,
            cv.Optional(CONF_USERNAME): cv.string_strict,
-            cv.Optional(CONF_PASSWORD): cv.string_strict,
+            cv.Optional(CONF_PASSWORD): cv.sensitive(cv.string_strict),
            cv.Optional(CONF_CERTIFICATE_AUTHORITY): wpa2_eap.validate_certificate,
            cv.SplitDefault(CONF_TTLS_PHASE_2, esp32="mschapv2"): cv.All(
                cv.enum(TTLS_PHASE_2), cv.only_on_esp32
@@ -272,7 +272,7 @@ WIFI_NETWORK_BASE = cv.Schema(
    {
        cv.GenerateID(): cv.declare_id(WiFiAP),
        cv.Optional(CONF_SSID): cv.ssid,
-        cv.Optional(CONF_PASSWORD): validate_password,
+        cv.Optional(CONF_PASSWORD): cv.sensitive(validate_password),
        cv.Optional(CONF_CHANNEL): validate_channel,
        cv.Optional(CONF_MANUAL_IP): STA_MANUAL_IP_SCHEMA,
    }
@@ -435,7 +435,7 @@ CONFIG_SCHEMA = cv.All(
                cv.ensure_list(WIFI_NETWORK_STA), cv.Length(max=MAX_WIFI_NETWORKS)
            ),
            cv.Optional(CONF_SSID): cv.ssid,
-            cv.Optional(CONF_PASSWORD): validate_password,
+            cv.Optional(CONF_PASSWORD): cv.sensitive(validate_password),
            cv.Optional(CONF_MANUAL_IP): STA_MANUAL_IP_SCHEMA,
            cv.Optional(CONF_EAP): EAP_AUTH_SCHEMA,
            cv.Optional(CONF_AP): wifi_network_ap,
@@ -851,7 +851,7 @@ async def final_step():
    cv.Schema(
        {
            cv.Required(CONF_SSID): cv.templatable(cv.ssid),
-            cv.Required(CONF_PASSWORD): cv.templatable(validate_password),
+            cv.Required(CONF_PASSWORD): cv.sensitive(cv.templatable(validate_password)),
            cv.Optional(CONF_SAVE, default=True): cv.templatable(cv.boolean),
            cv.Optional(CONF_TIMEOUT, default="30000ms"): cv.templatable(
                cv.positive_time_period_milliseconds