Replies: 3 comments 2 replies
-
I think the the feature should be baked in to filter common (basic/bearer) credentials out by default in the captured response. And we should give a clear message if people want to have them included. For me that the credentials were included was a surprise to me. The reasoning is: Its now too easy for a novice check in credentials by accident into the repo. As a result need to scrub, rewrite the git repo, or in case of a breach get them exposed. I think most of the users will generate this data against a real API with real credentials. The counter argument is that people should know about this, that recording is sensitive, which I agree with. But any breach prevented by having sane defaults saves people from silly accidents. |
Beta Was this translation helpful? Give feedback.
-
Lets talk about why this is difficult:
The only way I see this being reasonably done is by encrypting recordings as needed like |
Beta Was this translation helpful? Give feedback.
-
We're handling this by (a) filtering out Authorization header contents, and (b) using a custom header matcher that pays attention to everything except "Authorization". Note that we're using [edit] Updating this sample to include the way we filter out env-configured API keys, because that feels useful too. :D VCR.configure do |config|
# keep api keys out of recordings. we find names from what's in the environment,
# but also (since CI probably doesn't have all (or any) of those configured) from
# .env.default, which defines the things that a live environment is expected to
# see, and which therefore is useful in predicting what our specs will be working with
env_var_names_to_filter = ENV.keys.select { |key| key.ends_with?('_KEY') }
env_var_names_to_filter += File.read(Rails.root.join('.env.default')).scan(/^\w+_KEY(?=)/m)
env_var_names_to_filter.each do |key|
# keeping this lookup dynamic to allow ENV to change across tests
config.filter_sensitive_data("PLACEHOLDER_#{key}") { ENV[key] }
end
# assume authorization headers are sensitive
config.filter_sensitive_data('PLACEHOLDER_AUTHORIZATION') do |interaction|
next unless interaction.request.headers['Authorization']
interaction.request.headers['Authorization'][0]
end
# a custom request matcher that looks at all headers *except* Authorization,
# because we're filtering out the content of that header, which means
# we can't use that header for matching
headers_without_authorization = lambda do |request_1, request_2|
request_1.headers.except('Authorization') == request_2.headers.except('Authorization')
end
config.default_cassette_options = {
match_requests_on: [
:method,
:uri,
:body,
headers_without_authorization,
],
}
end |
Beta Was this translation helpful? Give feedback.
-
Hi everyone 👋
I'm having trouble setting up VCR for APIs that require basic authentication credentials in the URI:
I don't think it's currently possible, but I might be wrong. These are my attempts:
Doesn't work the 2nd time around when playing it back.
Then I tried this:
Same thing...it wants to send the proper request, but the recorded cassette has
username:password
in it, so VCR raises the well-known error:Are there any plans for this feature? There was an issue a while back that was addressing this topic: #201
Beta Was this translation helpful? Give feedback.
All reactions