Refined the token mask logic

Author: codebien

internal/cmd/cloud_login.go

@@ -210,11 +210,7 @@ func printConfig(gs *state.GlobalState, cloudConf cloudapi.Config) {
 	token, stackID, stackURL, defProj := notSet, notSet, notSet, notSet
 
 	if cloudConf.Token.String != "" {
-		// If a token is set then we assume we have a valid token longer than 8 chars
-		// print the token with all the chars masked, except the first and the last four
-		unmasked := cloudConf.Token.String
-		asterisks := strings.Repeat("*", len(unmasked)-8)
-		token = unmasked[:4] + asterisks + unmasked[len(unmasked)-4:]
+		token = maskToken(cloudConf.Token.String)
 	}
 	if cloudConf.StackID.Valid {
 		stackID = strconv.FormatInt(cloudConf.StackID.Int64, 10)
@@ -233,6 +229,22 @@ func printConfig(gs *state.GlobalState, cloudConf cloudapi.Config) {
 	printToStdout(gs, fmt.Sprintf("  default-project-id: %s\n", valueColor.Sprint(defProj)))
 }
 
+func maskToken(unmasked string) string {
+	if len(unmasked) < 1 {
+		return ""
+	}
+	// Require at least 4 asterisks in the middle to give a meaningful visual hint.
+	// Any token shorter than 12 chars would produce fewer, so mask it entirely.
+	if len(unmasked) < 12 {
+		return strings.Repeat("*", len(unmasked))
+	}
+	// We try to have a good DX here.
+	// A valid Cloud token should be 12+ chars, so it prints the token with all
+	// the chars masked, except the first and the last four.
+	asterisks := strings.Repeat("*", len(unmasked)-8)
+	return unmasked[:4] + asterisks + unmasked[len(unmasked)-4:]
+}
+
 // tokenAuthentication validates a token and a stack
 // and update the config with the given inputs
 func authenticateUserToken(

internal/cmd/cloud_login_test.go

@@ -0,0 +1,98 @@
+package cmd
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"gopkg.in/guregu/null.v3"
+
+	"go.k6.io/k6/cloudapi"
+	"go.k6.io/k6/internal/cmd/tests"
+)
+
+func TestMaskToken(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name     string
+		token    string
+		expected string
+	}{
+		{
+			name:     "empty string returns empty string",
+			token:    "",
+			expected: "",
+		},
+		{
+			name:     "single character is fully masked",
+			token:    "a",
+			expected: "*",
+		},
+		{
+			name:     "four characters are fully masked",
+			token:    "abcd",
+			expected: "****",
+		},
+		{
+			name:     "eleven characters are fully masked",
+			token:    "abcdefghijk",
+			expected: "***********",
+		},
+		{
+			name:     "twelve characters masks the middle four",
+			token:    "abcdefghijkl",
+			expected: "abcd****ijkl",
+		},
+		{
+			name:     "long token masks all but first and last four",
+			token:    "tok_abcdefghijklmnopqrstuvwxyz1234",
+			expected: "tok_" + strings.Repeat("*", 26) + "1234",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			got := maskToken(tc.token)
+			assert.Equal(t, tc.expected, got)
+		})
+	}
+}
+
+func TestPrintConfigTokenOutput(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name     string
+		token    string
+		expected string
+	}{
+		{
+			name:     "unset token shows not set placeholder",
+			token:    "",
+			expected: "<not set>",
+		},
+		{
+			name:     "token masked",
+			token:    "abcdefghijkl",
+			expected: "abcd****ijkl",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			ts := tests.NewGlobalTestState(t)
+			conf := cloudapi.Config{}
+			if tc.token != "" {
+				conf.Token = null.StringFrom(tc.token)
+			}
+
+			printConfig(ts.GlobalState, conf)
+			assert.Contains(t, ts.Stdout.String(), "  token: "+tc.expected)
+		})
+	}
+}

internal/cmd/tests/cmd_cloud_login_test.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -37,7 +38,7 @@ func TestCloudLoginWithArgs(t *testing.T) {
 			wantErr: false,
 			wantStdoutContains: []string{
 				"Logged in successfully",
-				fmt.Sprintf("token: %s", "vali***oken"),
+				fmt.Sprintf("token: %s", strings.Repeat("*", 11)),
 				fmt.Sprintf("stack-id: %d", validStackID),
 				fmt.Sprintf("stack-url: %s", validStackURL),
 				fmt.Sprintf("default-project-id: %d", defaultProjectID),