Open Matt-McHale opened 7 months ago
rangav
commented
7 months ago @Matt-McHale thanks for the feedback.
You can mask headers in reports from CLI.
example:
tc --col "TestCol" --remove "client_id,client_secret"
for more info run command tc -h.
Can you explain the use-case about masking variables in Output Window?
Matt-McHale
commented
7 months ago A similar approach would work when running in interactive mode. When the user clicks the lock button to hide/show the environment variable in the update environment screen. Not only would it be hidden in the Environment UI, it would also be hidden in the output.
OUTPUT: When running from within VS Code, the user has the option to View->Output (CTRL+SHIFT+U) and select Thunder Client as the source of the output.
The output displayed includes the header information (which exposes these values to the user).
Additionally, when the user chooses to Run All requests in a collection and export the results as HTML or JSON, the request headers include these secret values.
Currently these values are set as variables within the global environment and are not exposed via collection, environment, or request exports.
rangav
commented
7 months ago Why do you need to mask variables in the Output window?
This data is only visible to you right?
Most users want to see actual values sent to request in console output.
Matt-McHale
commented
7 months ago Highest priority is in the run collection export.
The Output window is advantageous because the secrets are populated by a pre-run script that retrieves the values from secured storage (where the users active directory credentials are used to validate the user). While I know just masking the credentials doesn't completely secure them, it is a step in the right direction.
rangav
commented
7 months ago Thanks, got it.
You can mask headers in reports from CLI.
example:
tc --col "TestCol" --remove "client_id,client_secret" --report "cli,json,html"
for more info run command tc -h.
Please test above and let me know if you have any issues.
Provide a mechanism for masking variables that would not be included in the console output and in the test exports.
Current Example:
Raw Headers.
Accept: / User-Agent: Thunder Client (https://www.thunderclient.com) Content-Type: application/json client_id: {{client_id}} client_secret: {{client_secret}}
Environment Used: Sandbox (Collection Attached) Request Url: https://www.fakeURL.com Method: POST Request Headers: { "client_id": "FakeClientId", "client_secret": "FakeClientSecret", "content-length": "1279", "accept-encoding": "gzip, deflate, br", "Accept": "/", "User-Agent": "Thunder Client (https://www.thunderclient.com)", "Content-Type": "application/json" }
Desired
Raw Headers.
Accept: / User-Agent: Thunder Client (https://www.thunderclient.com) Content-Type: application/json client_id: {{secure:client_id}} client_secret: {{secure:client_secret}}
Request Url: https://www.fakeURL.com Method: POST Request Headers: { "client_id": "#############", "client_secret": "##############", "content-length": "1279", "accept-encoding": "gzip, deflate, br", "Accept": "/", "User-Agent": "Thunder Client (https://www.thunderclient.com)", "Content-Type": "application/json" }
Using the Paid Version.