Mask Input Passwords in Active Session

[rafaelhoff]

hi @AnWeber

thanks for httpbook. it's an amazing extension for VSCode. There's one issue, that I am not sure if it's related to this repo or related to another one.

If I use Input Variables as Password, like:

@query = {{$password input app? $value: foo}}
GET https://httpbin.org/json?q={{query}}

This works fine. Once a request is sent, then the password is cached as active session in the whole .http file. The problem is that if I want to take a look in the active session, then the password is displayed as plain text.

Is there a possibility to mask the cached inputs that are marked as passwords?

Thanks Rafael

[AnWeber]

In principle, I agree with you that passwords should not be displayed in plain text. But I am faced with a problem here. The only place where I store the password is the SessionStore, where I no longer display the password. (after next release) The assignment to the variable is done by yourself and is then beyond my control. I would have to implement the Javascript interpretation myself and keep track of where the password is stored (variables, request, ...). That does not work. You could also use the password inline and thus bypass the variable

GET https://httpbin.org/json?q={{$password input app? $value: foo}}

Another trick would be to delete the variable yourself.

@query = {{$password input app? $value: foo}}
GET https://httpbin.org/json?q={{query}}

{{
  delete this.query;
}}

In both cases, however, the password is still in the memory, as it is still stored in the SessionStore and is also attached to the request. The only trick to be safe is to use httpyac.reset. This way I really throw away all stores. Probably not a good answer either. But I would be happy to receive suggestions on how to handle secrets better. The relatively unrestricted approach to implementation makes it relatively difficult to track usage.