feat: Add secret redaction via TEST_SERVER_SECRETS#4
Conversation
internal/store/store.go
Outdated
| } | ||
|
|
||
| // Redact replaces occurrences of specified secrets in the response. | ||
| func (r *RecordedResponse) Redact(secrets []string) { |
There was a problem hiding this comment.
This seems similar to the Redact() defined above for the request. Any chance for code deduplication?
There was a problem hiding this comment.
Good point, I moved the redaction logic to its own object.
| } | ||
|
|
||
| recordedRequest.RedactHeaders(r.config.RedactRequestHeaders) | ||
| r.redactor.Headers(recordedRequest.Header) |
There was a problem hiding this comment.
are line 104 and 106 duplicate?
There was a problem hiding this comment.
Good catch, the previous line here was actually redacting headers by key, fixed.
| expectedHeaders http.Header | ||
| }{ | ||
| { | ||
| name: "Redact secret in single header value", |
There was a problem hiding this comment.
does it support redact by header keys?
There was a problem hiding this comment.
Headers by key are redacted by request/response.RedactHeaders.
Since this object is one per server, while the redacted headers are one list per endpoint it doesn't help much to do it in redactor object.
The secrets list is one per server so it fits here.
This commit introduces a new feature to redact sensitive information from recorded requests and responses based on a list of secrets provided via the environment variable. Secrets specified in (comma-separated) will be replaced with REDACTED in the request path, headers, and body during both recording and replaying. This redaction happens before the request checksum is computed, ensuring that recordings with secrets can still be replayed correctly.
3 participants
This commit introduces a new feature to redact sensitive information from recorded requests and responses based on a list of secrets provided via the environment variable.
Secrets specified in (comma-separated) will be replaced with REDACTED in the request path, headers, and body during both recording and replaying. This redaction happens before the request checksum is computed, ensuring that recordings with secrets can still be replayed correctly.