Capturing sensitive data : hiding the value in the report

[glb-cblin]

I'd like to capture sensitive data in my test and I do not want it to show up in the reports

Is that possible ?

Actual example

POST {{URL}}:/token
{
  "login": "{{LOGIN}}", 
  "password": "{{PASSWORD}}"
}

HTTP 200
[Captures]
access_token: jsonpath "$.access_token"

=> I do not want to be able to see this access_token in the report since it is a permanent token (yes I know, it's not correct from the server to return always the same token but I do not have the choice here ...)

I'd like to be able to do something like

 access_token: jsonpath "$.access_token" hidden

[jcamiel]

Hi,
Yes we'll support this feature : hiding secrets in logs and reports.

See #2950

[glb-cblin]

I'm sorry, I do not see how this is realted to #2950

[jcamiel]

Sorry for this, it should have been #2947

[glb-cblin]

hi @jcamiel

thanks for the fix but I do not understand how to use it in my use case :)

I was expecting something in https://hurl.dev/docs/capturing-response.html

In #2947, there is discussion about a --secret CLI option but this is not my use case

[glb-cblin]

from what I can see in the MR, you implemented the --secret CLI option, but this is not my use case

my use case would be to use a "directive" during the capture

POST {{URL}}:/token
{
  "login": "{{LOGIN}}", 
  "password": "{{PASSWORD}}"
}

HTTP 200
[Captures]
access_token: secret jsonpath "$.access_token"

[jcamiel]

Let's say your token value is "ABCD", you can declare a secret with --secret token=ABCD and the value will be redacted from any logs and HTML reports (other report are due to be implemented). It's not necessary a variable (also it can be used as a variable), secrets are just list of strings that you want to be redacted.

Note: it doesn't work if you don't know your value before running your test or if your value is dynamically constructed. Noted, I will see how to address this use case.

[glb-cblin]

@jcamiel yes I undesrtand that but this is not my use case

In my use case, login and password are secrets and I can use --secret => ok

But, the API return a 10 days long access_token, so I want to consider this captured variable also a secret (but I cannot passed it in the CLI command) => ko

[jcamiel]

Yes noted, we need to address how to redact dynamic value.

[glb-cblin]

can you reopen this issue or do you prefer to open a new (clearer) one ?

[jcamiel]

I will open another one, I can't unlink this one to the PR! I will put the new issue number here => #3543

[jcamiel]

Hi, secrets are merged on master and will be available on 6.1.0:

• via command line with a --secret option: hurl --secret token=1234 --test *.hurl
• via redact keyword for captured variables

GET https://foo.com
HTTP 200
[Captures]
token: header "X-Token" redact

Secrets are redacted from HTML/JSON/JUnit report and logs

Feedbacks are welcome!