thunder-client-support icon indicating copy to clipboard operation
thunder-client-support copied to clipboard

Published 20 hours ago verified publisher icon thunderclient

Securely Masked Variables

Open Matt-McHale opened this issue 1 year ago • 5 comments

Provide a mechanism for masking variables that would not be included in the console output and in the test exports.

Current Example:

Raw Headers.
Accept: / User-Agent: Thunder Client (https://www.thunderclient.com) Content-Type: application/json client_id: {{client_id}} client_secret: {{client_secret}}

Environment Used: Sandbox (Collection Attached) Request Url: https://www.fakeURL.com Method: POST Request Headers: { "client_id": "FakeClientId", "client_secret": "FakeClientSecret", "content-length": "1279", "accept-encoding": "gzip, deflate, br", "Accept": "/", "User-Agent": "Thunder Client (https://www.thunderclient.com)", "Content-Type": "application/json" }

Desired

Raw Headers.
Accept: / User-Agent: Thunder Client (https://www.thunderclient.com) Content-Type: application/json client_id: {{secure:client_id}} client_secret: {{secure:client_secret}}

Request Url: https://www.fakeURL.com Method: POST Request Headers: { "client_id": "#############", "client_secret": "##############", "content-length": "1279", "accept-encoding": "gzip, deflate, br", "Accept": "/", "User-Agent": "Thunder Client (https://www.thunderclient.com)", "Content-Type": "application/json" }

Using the Paid Version.

Matt-McHale avatar Jan 29 '24 17:01 Matt-McHale

@Matt-McHale thanks for the feedback.

You can mask headers in reports from CLI.

example: tc --col "TestCol" --remove "client_id,client_secret"

for more info run command tc -h.

Can you explain the use-case about masking variables in Output Window?

rangav avatar Jan 29 '24 20:01 rangav

A similar approach would work when running in interactive mode. When the user clicks the lock button to hide/show the environment variable in the update environment screen. Not only would it be hidden in the Environment UI, it would also be hidden in the output.

OUTPUT: When running from within VS Code, the user has the option to View->Output (CTRL+SHIFT+U) and select Thunder Client as the source of the output.

The output displayed includes the header information (which exposes these values to the user).

Additionally, when the user chooses to Run All requests in a collection and export the results as HTML or JSON, the request headers include these secret values.

Currently these values are set as variables within the global environment and are not exposed via collection, environment, or request exports.

Matt-McHale avatar Jan 29 '24 21:01 Matt-McHale

Why do you need to mask variables in the Output window?

This data is only visible to you right?

Most users want to see actual values sent to request in console output.

rangav avatar Jan 30 '24 09:01 rangav

Highest priority is in the run collection export.

The Output window is advantageous because the secrets are populated by a pre-run script that retrieves the values from secured storage (where the users active directory credentials are used to validate the user). While I know just masking the credentials doesn't completely secure them, it is a step in the right direction.

Matt-McHale avatar Jan 30 '24 13:01 Matt-McHale

Thanks, got it.

You can mask headers in reports from CLI.

example: tc --col "TestCol" --remove "client_id,client_secret" --report "cli,json,html"

for more info run command tc -h.

Please test above and let me know if you have any issues.

rangav avatar Jan 30 '24 13:01 rangav