Hide password values from raw HTTP logs.

[dikwickley]

This is a supposed fix for #3935

So as explained in the issue (#3935 (comment)) there is no straightforward way to do this.
But here is something that works.

So basically there is called Modifier keys in Selenium webdriver and there is one that we can use, Key.NULL
https://github.com/SeleniumHQ/selenium/blob/da62a402d0565dd2dda2ced71cf74965caa4391c/javascript/node/selenium-webdriver/lib/webdriver.js#L2644-L2646

Passing this key along without string DOES NOT affect the actual string that is sent to textbox, but comes as a
 or ('\uE000') special Unicode character in the final response after executing the command on selenium.

I check for this character in the data, and any data containing this is flagged to be redacted.

Other potential solution (garg3133)

We could potentially also achieve this by adding a static variable to HttpRequest class (lib/http/request.js) and setting/unsetting it just before and after running element.sendKeys() command for .setPassword() inside method-mappings.js file. Using this static variable, we could decide at the time of logging of request whether or not to redact the request data.

Instead of creating a separate static variable above, we could also call HttpRequest.updateGlobalSettings({redact: true}); just before and after element.sendKeys() command to set this.httpOpts.redact in the request.js file, and then use this option at the time of logging of request to decide whether or not to redact the request data.

[github-actions]

Status

• ❌ No modified files found in the types directory.
  Please make sure to include types for any changes you have made. Thank you!.

[garg3133]

This is actually a good idea.

A few thoughts:

• If we just check for the presence of NULL key in the data, there will be many false positives (since NULL will be used by the people while using modifier keys). To get around this, I was earlier thinking of adding a pattern of keys to value if we want to redact it, but a better solution would be to add the NULL key at the starting of the value instead of at the end because normally users would never use a NULL key at the start. With that, just check if the value starts with a NULL key and if so, mark it for redaction.

[garg3133]

This looks good now. Just a bunch of refactoring changes.

[garg3133]

Looks good!

One last thing, we should also add a test to make sure that the final generated report does not contain the actual password but *s in rawHttpOutput. We can get the rawHttpOutput by defining a reporter function in globals config and then accessing results.modules.<moduleName>.rawHttpOutput.

See the last test case of test/src/api/commands/element/testWaitForElementNotPresent.js file for reference.

[garg3133]

There is still some scope for improvements in the tests. But I think this will make you really good at writing Nightwatch tests in the future :)

Please feel free to ask if you don't understand the reasoning behind anything.

[garg3133]

I did a few refactors myself in the PR, but the major takeaway from the refactors is that while writing mocks we should also specify how many times we want the mock to run. By default, the mock will run for indefinite times, passing true as the second argument to .addMock() makes it run only once, and for more, we can specify the times parameter in the first argument of .addMock().

But thanks a lot for this PR, this looks really great now.

[dikwickley]

Thanks @garg3133 for all the help 🙌