85 lines
3.0 KiB
TypeScript
85 lines
3.0 KiB
TypeScript
|
import { expect, tap } from '@git.zone/tstest/tapbundle';
|
||
|
|
import * as npmextra from '../ts/index.js';
|
||
|
|
|
||
|
|
// Test that sensitive values are properly redacted in logs
|
||
|
|
tap.test('should redact sensitive values in console output', async () => {
|
||
|
|
// Capture console.log output
|
||
|
|
const originalLog = console.log;
|
||
|
|
const logOutput: string[] = [];
|
||
|
|
console.log = (...args: any[]) => {
|
||
|
|
logOutput.push(args.join(' '));
|
||
|
|
};
|
||
|
|
|
||
|
|
try {
|
||
|
|
// Set up environment variables with sensitive data
|
||
|
|
process.env['API_KEY'] = 'super-secret-api-key-12345';
|
||
|
|
process.env['DATABASE_PASSWORD'] = 'myP@ssw0rd123';
|
||
|
|
process.env['AUTH_TOKEN'] = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ';
|
||
|
|
process.env['PUBLIC_URL'] = 'https://example.com';
|
||
|
|
process.env['DEBUG_MODE'] = 'true';
|
||
|
|
|
||
|
|
// Create AppData with sensitive environment mappings
|
||
|
|
const appData = await npmextra.AppData.createAndInit({
|
||
|
|
ephemeral: true,
|
||
|
|
envMapping: {
|
||
|
|
apiKey: 'API_KEY',
|
||
|
|
dbPassword: 'DATABASE_PASSWORD',
|
||
|
|
authToken: 'AUTH_TOKEN',
|
||
|
|
publicUrl: 'PUBLIC_URL',
|
||
|
|
debugMode: 'boolean:DEBUG_MODE',
|
||
|
|
nestedConfig: {
|
||
|
|
secretKey: 'API_KEY',
|
||
|
|
nonSecret: 'PUBLIC_URL'
|
||
|
|
}
|
||
|
|
}
|
||
|
|
});
|
||
|
|
|
||
|
|
// Restore console.log
|
||
|
|
console.log = originalLog;
|
||
|
|
|
||
|
|
// Check that sensitive values were redacted in logs
|
||
|
|
const combinedOutput = logOutput.join('\n');
|
||
|
|
|
||
|
|
// API_KEY should be redacted
|
||
|
|
expect(combinedOutput).toContain('sup...[26 chars]');
|
||
|
|
expect(combinedOutput).not.toContain('super-secret-api-key-12345');
|
||
|
|
|
||
|
|
// DATABASE_PASSWORD should be redacted
|
||
|
|
expect(combinedOutput).toContain('myP...[13 chars]');
|
||
|
|
expect(combinedOutput).not.toContain('myP@ssw0rd123');
|
||
|
|
|
||
|
|
// AUTH_TOKEN should be redacted (JWT tokens starting with eyJ)
|
||
|
|
expect(combinedOutput).toContain('eyJ...[');
|
||
|
|
expect(combinedOutput).not.toContain('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9');
|
||
|
|
|
||
|
|
// PUBLIC_URL should not be redacted (not sensitive)
|
||
|
|
expect(combinedOutput).toContain('https://example.com');
|
||
|
|
|
||
|
|
// DEBUG_MODE should not be redacted (not sensitive)
|
||
|
|
expect(combinedOutput).toContain('true');
|
||
|
|
|
||
|
|
// Verify data is still stored correctly (not redacted in actual storage)
|
||
|
|
const kvStore = await appData.getKvStore();
|
||
|
|
const apiKey = await kvStore.readKey('apiKey');
|
||
|
|
const dbPassword = await kvStore.readKey('dbPassword');
|
||
|
|
const publicUrl = await kvStore.readKey('publicUrl');
|
||
|
|
|
||
|
|
// Actual values should be stored correctly
|
||
|
|
expect(apiKey).toEqual('super-secret-api-key-12345');
|
||
|
|
expect(dbPassword).toEqual('myP@ssw0rd123');
|
||
|
|
expect(publicUrl).toEqual('https://example.com');
|
||
|
|
|
||
|
|
} finally {
|
||
|
|
// Restore console.log in case of test failure
|
||
|
|
console.log = originalLog;
|
||
|
|
|
||
|
|
// Clean up environment variables
|
||
|
|
delete process.env['API_KEY'];
|
||
|
|
delete process.env['DATABASE_PASSWORD'];
|
||
|
|
delete process.env['AUTH_TOKEN'];
|
||
|
|
delete process.env['PUBLIC_URL'];
|
||
|
|
delete process.env['DEBUG_MODE'];
|
||
|
|
}
|
||
|
|
});
|
||
|
|
|
||
|
|
export default tap.start();
|