Please add support for log: false so that passwords are not displayed in clear text

[michael-schantin]

When using cy.request there is a parameter log: false, with which the command (and thus the password) are no longer displayed in the Test Runner. If I replace cy.request with cy.api, log: false is ignored and the user can read the password in plain text.

Example:

    cy.request({
        method: "POST",
        url: getOrchestrationLayerPrefixUrlBasedOnBaseUrl() + urls.LOGIN,
        body: {
            username: Cypress.env("AUTOMATED_TESTS_USERNAME1"),
            password: Cypress.env("AUTOMATED_TESTS_PASSWORD1"),
        },
        log: false,
    })

    cy.api{
        method: "POST",
        url: getOrchestrationLayerPrefixUrlBasedOnBaseUrl() + urls.LOGIN,
        body: {
            username: Cypress.env("AUTOMATED_TESTS_USERNAME1"),
            password: Cypress.env("AUTOMATED_TESTS_PASSWORD1"),
        },
        log: false,
    })

[filiphric]

Thanks for the report. I’m wondering here. what would happen when you pass {log: false} to cy.api() command? should it anonymize the username and password fields? should it hide Body tab altogether? should you be able to anonymize your data by doing something like:

cy.api({
  method: 'POST',
  url: '/',
  body: {
    username: Cypress.env('username'),
    password: Cypress.env('password')
  },
  anonymize: [username, password]
})

hit me with suggestions

[michael-schantin]

To make it consistent to cy.request the suggestion would be to hide the body completely.

[filiphric]

I’m wondering, would using hideCredentials option for this be a solution? I’m going to support password and usename by fixinf #54

[filiphric]

with version 2, the plugin does not show the information you shown on the screenshot anymore. you can see the body in the UI view, as well as in browser console details. if you want to hide it from UI view, you can use the hideCredentials flag. this will hide authorization, password and username fields from headers view

[michael-schantin]

Hi Filip. I have now installed 2.3.3 and use { env: { hideCredentials: true } }. The bearer in my GET method is now hidden. However, in the POST method username and password are not yet hidden. My code:

import { urls } from "cypress/support/constants";

const loginUrl = "https://<URL>/v2/login";

describe("Verify that the delivery address can be queried", () => {
    it(
        "Verify that the delivery address can be queried",
        { env: { hideCredentials: true } },
        () => {
            cy.api({
                method: "POST",
                url: loginUrl,
                body: {
                    username: Cypress.env("AUTOMATED_TESTS_USERNAME1"),
                    password: Cypress.env("AUTOMATED_TESTS_PASSWORD1"),
                },
            }).then((response) => {
                Cypress.env("token", response.body.token.accessToken);
                cy.wait(2000);
                cy.api({
                    method: "GET",
                    url: urls.ADDRESS_DELIVERY_PRD,
                    auth: {
                        bearer: Cypress.env("token"),
                    },
                }).then(() => {
                    // expect(response.body.length).to.equal(2);
                });
            });
        }
    );
});

[filiphric]

ah, that might be because I only hide headers, not body. I’m thinking it might make more sense if the hiding of credentials would be configurable.

[filiphric]

I’m releasing the feature to hide custom properties with #62 enjoy!

[michael-schantin]

Tested successfully. Using the options in cypress.config.ts:

        env: {
            hideCredentials: true,
            hideCredentialsOptions: {
                headers: ["Authorization"],
                body: ["username", "password"],
            },
        },