feat(oauth): replace HIDDEN_VALUE with UNKNOWN_VALUE for better credential handling

api/constants/__init__.py

@@ -1,6 +1,7 @@
 from configs import dify_config
 
 HIDDEN_VALUE = "[__HIDDEN__]"
+UNKNOWN_VALUE = "[__UNKNOWN__]"
 UUID_NIL = "00000000-0000-0000-0000-000000000000"
 
 DEFAULT_FILE_NUMBER_LIMITS = 3

api/controllers/console/workspace/tool_providers.py

@@ -839,14 +839,6 @@ class ToolBuiltinProviderGetCredentialInfoApi(Resource):
             )
         )
 
-
-# tool oauth
-api.add_resource(ToolPluginOAuthApi, "/oauth/plugin/<path:provider>/tool/authorization-url")
-api.add_resource(ToolOAuthCallback, "/oauth/plugin/<path:provider>/tool/callback")
-
-api.add_resource(ToolOAuthCustomClient, "/workspaces/current/tool-provider/builtin/<path:provider>/oauth/custom-client")
-
-
 class ToolProviderMCPApi(Resource):
     @setup_required
     @login_required
@@ -1010,6 +1002,11 @@ class ToolMCPCallbackApi(Resource):
 # tool provider
 api.add_resource(ToolProviderListApi, "/workspaces/current/tool-providers")
 
+# tool oauth
+api.add_resource(ToolPluginOAuthApi, "/oauth/plugin/<path:provider>/tool/authorization-url")
+api.add_resource(ToolOAuthCallback, "/oauth/plugin/<path:provider>/tool/callback")
+api.add_resource(ToolOAuthCustomClient, "/workspaces/current/tool-provider/builtin/<path:provider>/oauth/custom-client")
+
 # builtin tool provider
 api.add_resource(ToolBuiltinProviderListToolsApi, "/workspaces/current/tool-provider/builtin/<path:provider>/tools")
 api.add_resource(ToolBuiltinProviderInfoApi, "/workspaces/current/tool-provider/builtin/<path:provider>/info")

api/services/tools/builtin_tools_manage_service.py

@@ -7,7 +7,7 @@ from typing import Any, Optional
 from sqlalchemy.orm import Session
 
 from configs import dify_config
-from constants import HIDDEN_VALUE
+from constants import HIDDEN_VALUE, UNKNOWN_VALUE
 from core.helper.position_helper import is_filtered
 from core.helper.provider_cache import NoOpProviderCredentialCache, ToolProviderCredentialsCache
 from core.plugin.entities.plugin import ToolProviderID
@@ -156,7 +156,7 @@ class BuiltinToolManageService:
 
                     original_credentials = encrypter.decrypt(db_provider.credentials)
                     new_credentials: dict = {
-                        key: value if value != HIDDEN_VALUE else original_credentials.get(key, HIDDEN_VALUE)
+                        key: value if value != HIDDEN_VALUE else original_credentials.get(key, UNKNOWN_VALUE)
                         for key, value in credentials.items()
                     }
 
@@ -683,7 +683,12 @@ class BuiltinToolManageService:
                     config=[x.to_basic_provider_config() for x in provider_controller.get_oauth_client_schema()],
                     cache=NoOpProviderCredentialCache(),
                 )
-                custom_client_params.encrypted_oauth_params = json.dumps(encrypter.encrypt(client_params))
+                original_params = encrypter.decrypt(custom_client_params.oauth_params)
+                new_params: dict = {
+                    key: value if value != HIDDEN_VALUE else original_params.get(key, UNKNOWN_VALUE)
+                    for key, value in client_params.items()
+                }
+                custom_client_params.encrypted_oauth_params = json.dumps(encrypter.encrypt(new_params))
 
             if enable_oauth_custom_client is not None:
                 custom_client_params.enabled = enable_oauth_custom_client