From c64d49ce89804287fc738a7e735809bfccb40048 Mon Sep 17 00:00:00 2001
From: Josh Hawkins <32435876+hawkeye217@users.noreply.github.com>
Date: Tue, 11 Nov 2025 07:29:28 -0600
Subject: [PATCH] mask passwords in http-flv and others where a url param is
 password

---
 web/src/utils/cameraUtil.ts | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/web/src/utils/cameraUtil.ts b/web/src/utils/cameraUtil.ts
index 24bda62a1..3a28cfe1a 100644
--- a/web/src/utils/cameraUtil.ts
+++ b/web/src/utils/cameraUtil.ts
@@ -73,12 +73,22 @@ export async function detectReolinkCamera(
 }
 
 /**
- * Mask credentials in RTSP URIs for display (e.g., rtsp://user:pass@host -> rtsp://user:••••@host)
+ * Mask credentials in RTSP URIs for display
  */
 export function maskUri(uri: string): string {
   try {
-    const match = uri.match(/rtsp:\/\/([^:]+):([^@]+)@(.+)/);
-    if (match) return `rtsp://${match[1]}:${"*".repeat(4)}@${match[3]}`;
+    // Handle RTSP URLs with user:pass@host format
+    const rtspMatch = uri.match(/rtsp:\/\/([^:]+):([^@]+)@(.+)/);
+    if (rtspMatch) {
+      return `rtsp://${rtspMatch[1]}:${"*".repeat(4)}@${rtspMatch[3]}`;
+    }
+
+    // Handle HTTP/HTTPS URLs with password query parameter
+    const urlObj = new URL(uri);
+    if (urlObj.searchParams.has("password")) {
+      urlObj.searchParams.set("password", "*".repeat(4));
+      return urlObj.toString();
+    }
   } catch (e) {
     // ignore
   }