docs/secrets.md
It is possible to mask out sensitive data when passing it to steps. This is important when filling password fields, or sending secure keys to API endpoint. CodeceptJS provides two approaches for masking sensitive data:
secret() FunctionWrap data in secret function to mask sensitive values in output and logs.
For basic string secret just wrap a value into a string:
I.fillField('password', secret('123456'))
When executed it will be printed like this:
I fill field "password" "*****"
Other Examples
I.fillField('password', secret('123456'))
I.append('password', secret('123456'))
I.type('password', secret('123456'))
For an object, which can be a payload to POST request, specify which fields should be masked:
I.sendPostRequest(
'/login',
secret(
{
name: 'davert',
password: '123456',
},
'password',
),
)
The object created from secret is as Proxy to the object passed in. When printed password will be replaced with ****.
⚠️ Only direct properties of the object can be masked via
secret
CodeceptJS can automatically mask sensitive data in all output (logs, steps, debug messages, errors) using configurable patterns. This feature uses the maskSensitiveData configuration option.
Enable basic masking with predefined patterns:
// codecept.conf.js
exports.config = {
// ... other config
maskSensitiveData: true,
}
This will mask common sensitive data patterns like:
Define your own masking patterns:
// codecept.conf.js
exports.config = {
// ... other config
maskSensitiveData: {
enabled: true,
patterns: [
{
name: 'Email',
regex: /(\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b)/gi,
mask: '[MASKED_EMAIL]',
},
{
name: 'Credit Card',
regex: /\b(?:\d{4}[- ]?){3}\d{4}\b/g,
mask: '[MASKED_CARD]',
},
{
name: 'Phone Number',
regex: /(\+?1[-.\s]?)?\(?([0-9]{3})\)?[-.\s]?([0-9]{3})[-.\s]?([0-9]{4})/g,
mask: '[MASKED_PHONE]',
},
{
name: 'SSN',
regex: /\b\d{3}-\d{2}-\d{4}\b/g,
mask: '[MASKED_SSN]',
},
],
},
}
Each custom pattern object should have:
name: A descriptive name for the patternregex: A JavaScript regular expression to match the sensitive datamask: The replacement string to show instead of the sensitive dataWith the above configuration:
Input:
User email: [email protected]
Credit card: 4111 1111 1111 1111
Phone: +1-555-123-4567
Output:
User email: [MASKED_EMAIL]
Credit card: [MASKED_CARD]
Phone: [MASKED_PHONE]
Global sensitive data masking is applied to:
--debug mode)--verbose mode)⚠️ Direct
console.log()calls in helper functions are not masked. Use CodeceptJS output functions instead.
You can use both secret() function and global masking together. The secret() function is applied first, then global patterns are applied to the remaining output.