🏠 Overview ✅ Implementation Tasks ✅ epic-external-system-integration-configuration-admin-ui-task-002

Credential Management Form with masked inputs

epic-external-system-integration-configuration-admin-ui-task-002 — Implement the Credential Management Form widget with masked input fields for API keys, client secrets, and passwords. Include show/hide toggle per field, a connection-test trigger button that calls the validation backend, and inline error display for failed connection tests.

critical priority medium complexity frontend pending frontend specialist Tier 1

Acceptance Criteria

Each credential field renders as a masked input (obscureText: true) by default with a show/hide icon button on the trailing edge
Toggling show/hide per field works independently — revealing one field does not affect others
Pre-existing saved credentials load as placeholder dots ('••••••••') not as the actual value; the actual value is never sent to the client unless the user explicitly requests reveal (for security, re-fetch on demand or store only hashes)
A 'Test Connection' button is present and disabled while any required credential field is empty
Tapping 'Test Connection' calls the Supabase Edge Function `validate-integration-credentials` with the current form values and shows a loading indicator
On successful connection test, a green success banner with the message 'Connection successful' is shown
On failure, a red inline error block shows the specific error reason (e.g., 'Invalid API key', 'Endpoint unreachable') returned by the backend
Form validates all required fields before enabling the Save button; validation errors are shown inline below each field
Saved credentials are encrypted at rest via Supabase Vault or equivalent — plaintext is never stored in the main database table
The form is accessible: all password fields have correct Semantics (isObscured flag), show/hide buttons have descriptive labels, and the form is navigable by keyboard/screen reader
Unsaved changes prompt a confirmation dialog when the user attempts to navigate away

Technical Requirements

frameworks
Flutter
BLoC
Riverpod
apis
Supabase Edge Function — validate-integration-credentials
Supabase Vault API — for encrypted credential storage
Supabase REST API — integration_configurations table (credential_ref field)
data models
IntegrationCredentials
IntegrationConfiguration
ConnectionTestResult
performance requirements
Connection test must show loading state within 100ms of button tap
Connection test timeout of 15 seconds with user-facing timeout error message
security requirements
Credentials must never be logged or included in crash reports — use `debugFillProperties` overrides to mask sensitive fields
All credential writes must go through Supabase Vault; never store plaintext secrets in the integrations table
Only admin-role users may access this form — enforce via RLS and route guard
Show/hide toggle must not persist reveal state across screen navigations
Auto-lock revealed fields after 30 seconds of inactivity
ui components
CredentialManagementForm (stateful widget)
MaskedCredentialField (reusable with show/hide toggle)
ConnectionTestButton
ConnectionTestResultBanner (success/error states)
UnsavedChangesDialog
AppTextField (design system)
AppButton (design system)

Execution Context

Execution Tier
Tier 1

Tier 1 - 540 tasks

Can start after Tier 0 completes

Integration Task

Handles integration between different epics or system components. Requires coordination across multiple development streams.

Implementation Notes

Create a reusable `MaskedCredentialField` widget that accepts a `label`, `controller`, `isRequired`, and an optional `onRevealRequested` callback that triggers a re-fetch of the actual credential value from Supabase Vault. This avoids ever sending the credential to the client on initial page load. For the obscureText toggle, use a `ValueNotifier` per field to prevent unnecessary full-form rebuilds. Model the form state in a dedicated `CredentialFormBloc` or Riverpod `StateNotifier` with events: `FieldChanged`, `TestConnectionRequested`, `SaveRequested`, `NavigateAwayRequested`.

The connection test should be non-blocking: the user can continue editing other fields while the test runs. Use a `StreamSubscription` or Riverpod `FutureProvider` to handle the async test result. Ensure the `ConnectionTestResult` model contains a human-readable `errorMessage` field from the backend — do not expose raw HTTP status codes to the user.

Testing Requirements

Write flutter_test widget tests for: (1) fields render as masked by default, (2) show/hide toggle works per-field independently, (3) Test Connection button is disabled when required fields are empty, (4) success banner appears on mock success response, (5) error banner with message appears on mock failure response, (6) unsaved-changes dialog appears on back navigation. Write security-focused tests asserting that sensitive field values are not present in widget tree Semantics labels in unmasked form. Mock Supabase Edge Function calls with both success and error response fixtures. Test connection timeout scenario with a delayed mock returning an error.

Component
Credential Management Form
ui medium
Dependencies (1)
Build the Sync Schedule Configuration panel widget allowing administrators to select sync frequency (hourly, daily, weekly, custom cron), configure time-of-day for scheduled runs, and trigger manual sync operations. Use Design System v3 dark-mode sidebar layout with unified entity color system. epic-external-system-integration-configuration-admin-ui-task-001
Epic Risks (4)
medium impact high prob technical

The multi-step Integration Setup Wizard must render different credential fields, field mapping targets, and validation rules depending on the selected integration type. If the type-specific branching logic is implemented as conditional widget trees rather than driven by the Integration Type Registry, the wizard becomes unmaintainable and adding new integration types requires UI code changes.

Mitigation & Contingency

Mitigation: Design the wizard to be metadata-driven from the Integration Type Registry from day one. Credential form fields, required field validation, and mapping target lists are all fetched from the registry, not hardcoded in widgets. Implement one integration type end-to-end first (Xledger) to validate the pattern before building the others.

Contingency: If the metadata-driven approach proves too complex for the initial delivery, implement Xledger and Dynamics as hardcoded wizard variants and create a registry-driven refactor as a follow-up technical debt ticket with a fixed deadline.

medium impact medium prob dependency

The Excluded Features Configuration Panel must wire directly into the feature flag system to suppress HLF app features. If the feature flag system does not yet expose a writable admin interface, this panel cannot save its configuration, blocking the HLF-specific acceptance criteria.

Mitigation & Contingency

Mitigation: Verify that the Organization-scoped Feature Flags feature (a declared dependency) exposes a Dart API for programmatic flag writes before starting this panel. Coordinate with the feature flags team to ensure the write API is available. If needed, schedule this panel as the last item in the epic.

Contingency: If the feature flag write API is unavailable at implementation time, store excluded features in the integration's JSONB settings column and wire them into a local feature flag provider that merges database state with the standard flag system at app startup.

high impact medium prob scope

The Field Mapping Editor's usability for non-technical org admins is high-risk. If the visual mapping interface is confusing, admins will configure incorrect mappings that cause silent data corruption in accounting exports — a serious financial risk discovered only at month-end reconciliation.

Mitigation & Contingency

Mitigation: Conduct usability testing with at least one admin user from Blindeforbundet on the field mapping editor prototype before full implementation. Provide descriptive labels and sample data values for all fields. Add a 'test mapping' preview that shows a transformed sample record before saving.

Contingency: If usability testing reveals the visual editor is too complex, implement a simplified list-based mapping editor (select app field → select external field, one row at a time) as a fallback, deferring the drag-and-drop visual editor to a future iteration.

medium impact medium prob technical

The Credential Management Form's masked fields and connection-test flow may conflict with screen reader requirements — VoiceOver and JAWS must be able to navigate the form, understand which fields are already configured, and receive feedback on connection test results without exposing credential values in accessible text.

Mitigation & Contingency

Mitigation: Design accessible semantics labels for masked fields (e.g., 'API key: configured, last 4 characters: abcd') from the start. Use Flutter's Semantics widget to provide screen-reader-specific text that differs from visual display. Test with VoiceOver on iOS and TalkBack on Android during development, not only at QA.

Contingency: If accessibility conflicts with security requirements for the credential form, implement a separate 'accessibility mode' flow where credential configuration is done through a separate confirmation step that provides more explicit semantic feedback without risk of value exposure.

Quick Links
All Tasks Execution Plan