feat(pam): view sensitive credentials/password for PAM accounts

[saifsmailbox98]

Context

Provides users with a UI to view account credentials/password with proper audit logging.

Useful for:

• Post rotation value fetching
• Using Infisical PAM as the source of truth/inventory for account passwords
• Legacy/non gateway target resources what require user connecting directly and entering the password

Screenshots

Steps to verify the change

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Updated CLAUDE.md files (if needed)
• Read the contributing guide

[linear]

PAM-153 Add password view feature for accounts

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Summary

This PR adds a "View Credentials" feature for PAM accounts, allowing authorized users to reveal sensitive fields (passwords, private keys) that are intentionally omitted from the sanitized account response. The implementation includes a new GET /:accountId/credentials backend endpoint with CASL ABAC permission enforcement, optional MFA gate (one-time session validated and consumed server-side), full audit logging, and a polished frontend flow with MFA popup polling, per-field visibility toggle, and copy-to-clipboard. A new ReadCredentials permission action is wired through the permission system, default roles, and the role management UI.

Key highlights:

• Permission check runs before credential decryption — authorization is correctly ordered
• MFA sessions are validated (user ownership, account binding, status) and consumed atomically, preventing replay
• The isPollingRef guard in useCredentialsReveal prevents concurrent poll iterations from double-fetching — prior concern fully addressed
• SensitiveCredentialsGate now correctly passes resourceName, accountName, and metadata to ProjectPermissionCan — prior concern fully addressed
• Minor: mfaSessionId is passed as a URL query parameter on a security-sensitive GET endpoint; low practical risk given one-time-use tokens, but it will appear in server access logs and browser history
• No user-facing documentation was added for this feature

Confidence Score: 5/5

Safe to merge; all previously flagged P1 concerns are resolved and remaining findings are P2 style/hardening suggestions

Auth, permission, and MFA logic are correctly implemented. Both remaining comments are P2: one is a hardening suggestion about mfaSessionId in a URL query param (low practical risk given one-time-use tokens), and one is a forward-looking note about hasSensitiveCredentials opt-out pattern. Neither blocks merge.

backend/src/ee/routes/v1/pam-account-routers/pam-account-router.ts (mfaSessionId as query param), backend/src/ee/services/pam-account/pam-account-fns.ts (hasSensitiveCredentials default-true)

Important Files Changed

Filename	Overview
backend/src/ee/routes/v1/pam-account-routers/pam-account-router.ts	Adds GET /:accountId/credentials endpoint with JWT auth, permission checks, and audit logging; mfaSessionId as a URL query parameter is a minor security concern
backend/src/ee/services/pam-account/pam-account-service.ts	Adds viewCredentials with CASL permission check, MFA enforcement, one-time session validation, and credential decryption — logic is solid
backend/src/ee/services/pam-account/pam-account-fns.ts	Adds hasSensitiveCredentials helper with default-true (opt-out) return; correct for existing types but fragile when adding future resource types
frontend/src/pages/pam/PamAccountByIDPage/components/useCredentialsReveal.ts	Well-structured hook with isPollingRef guard against concurrent iterations, proper cleanup on unmount, and clean MFA popup/polling flow
frontend/src/pages/pam/PamAccountByIDPage/components/SensitiveCredentialsGate.tsx	Correctly passes accountName, resourceName, and metadata to ProjectPermissionCan for proper ABAC subject matching
frontend/src/pages/pam/PamAccountByIDPage/components/PamAccountCredentialsSection.tsx	Adds SensitiveField and MultilineSensitiveField with toggle visibility and copy-to-clipboard; getSensitiveFieldDefs correctly enumerates resource types with hidden fields
backend/src/ee/services/audit-log/audit-log-types.ts	Adds PamAccountReadCredentialsEvent with accountId, accountName, resourceId, resourceType — consistent with other PAM account events
backend/src/ee/services/permission/default-roles.ts	ReadCredentials added to Admin role only — appropriate for a privileged credential-reveal action
frontend/src/pages/project/RoleDetailsBySlugPage/components/ProjectRoleModifySection.utils.tsx	Adds ReadCredentials to PamAccountPolicyActionSchema and PROJECT_PERMISSION_OBJECT with clear label and description

_{Reviews (2): Last reviewed commit: "fix: add re-entrancy guard to MFA pollin..." | Re-trigger Greptile}

[saifsmailbox98]

@greptile re-review this pr

[x032205]

@codex review this PR

[chatgpt-codex-connector]

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

[x032205]

Discovered account without a password throw a 500 error when clicking view password. Zod error I think where strings must be non-empty. Let's just show a front-end error that password does not exist for this account.