Description
I am working on refactoring our code and moving from v1 to v2. I updated the karate-config.js file with the new logger configuration:
Ex:
var logLevel = karate.properties['karate.console.log.level'] || 'debug';
karate.configure('logging', {
pretty: true,
report: logLevel,
console: logLevel,
mask: {
headers: [
'Authorization', 'authorization',
'Cookie', 'cookie',
'X-Token-Auth', 'x-token-auth',
'client_id', 'client-secret', 'client_secret'
],
jsonPaths: [
'$.password', '$..password',
'$.client_id', '$..client_id',
'$.client_secret', '$..client_secret',
'$.access_token', '$..access_token',
'$.refresh_token', '$..refresh_token',
'$.accessToken', '$..accessToken',
'$.token', '$..token'
],
patterns: [
{ regex: 'client_id["\']?\\s*:\\s*["\']?[^",\'}]+', replacement: 'client_id: "***"' },
{ regex: 'client_secret["\']?\\s*:\\s*["\']?[^",\'}]+', replacement: 'client_secret: "***"' },
{ regex: 'access_token["\']?\\s*:\\s*["\']?[^",\'}]+', replacement: 'access_token: "***"' },
{ regex: 'Bearer [A-Za-z0-9._-]+', replacement: 'Bearer ***' }
],
replacement: '***'
}
});
At this point, I am trying anything to make it work but still seeing secrets in the console.
Ex:
Request:
15:33:39.774 [Test worker] TRACE karate.http - request:
1 > POST https://.......com/oauth/token
1 > Content-Type: application/json; charset=UTF-8arateRunner
1 > Host: .........com
1 > Content-Length: 211
1 > Connection: keep-alive
1 > User-Agent: Apache-HttpClient/5.6.1 (Java/21.0.11)
{
"audience": “AUDIENCE_HERE,
"grant_type": "client_credentials",
"client_id": “FULL VISIBLE ID STRING VALUE”,
"client_secret": “FULL VISIBLE SECRET STRING VALUE”
}
Here is the response:
15:33:40.333 [Test worker] TRACE karate.http - response time in milliseconds: 533
1 < 200 POST https://....com/oauth/token
1 < Transfer-Encoding: chunked
……………
1 < Content-Type: application/json
{
"access_token": “FULL VISIBLE TOKEN”,
"scope": “…”,
"expires_in": 28800,
"token_type": "Bearer"
}
Screenshot:
Another example request:
15:33:48.808 [Test worker] TRACE karate.http - request:
1 > GET https://......./...?...=....&profileId=……..
1 > Authorization: Bearer FULL BEARER TOKEN AS VISIBLE STRING
1 > Host: ……
1 > Connection: keep-alive
1 > User-Agent: Apache-HttpClient/5.6.1 (Java/21.0.11)
Screenshot:
Steps to Reproduce
- Set the following configuration in the karate-config.js:
karate.configure('logging', {
pretty: true,
report: trace,
console: trace,
mask: {
headers: [
'Authorization', 'authorization',
'Cookie', 'cookie',
'X-Token-Auth', 'x-token-auth',
'client_id', 'client-secret', 'client_secret'
],
jsonPaths: [
'$.password', '$..password',
'$.client_id', '$..client_id',
'$.client_secret', '$..client_secret',
'$.access_token', '$..access_token',
'$.refresh_token', '$..refresh_token',
'$.accessToken', '$..accessToken',
'$.token', '$..token'
],
patterns: [
{ regex: 'client_id["\']?\\s*:\\s*["\']?[^",\'}]+', replacement: 'client_id: "***"' },
{ regex: 'client_secret["\']?\\s*:\\s*["\']?[^",\'}]+', replacement: 'client_secret: "***"' },
{ regex: 'access_token["\']?\\s*:\\s*["\']?[^",\'}]+', replacement: 'access_token: "***"' },
{ regex: 'Bearer [A-Za-z0-9._-]+', replacement: 'Bearer ***' }
],
replacement: '***'
}
});
I also want to point out that before (v1), logging was set to debug and I would be able to see the request body and the response body (with the secrets masked). With v2, debug does not show the request body for the response body. It needs to be set to trace.
Expected Behavior
Secrets are masked matching the provided configuration.
Actual Behavior
No secrets are getting masked.
Karate Version
2.0.6
Java Version
21.0.11
Operating System
macOS
Description
I am working on refactoring our code and moving from v1 to v2. I updated the karate-config.js file with the new logger configuration:
Ex:
At this point, I am trying anything to make it work but still seeing secrets in the console.
Ex:
Request:
Here is the response:
Screenshot:
Another example request:
Screenshot:
Steps to Reproduce
I also want to point out that before (v1), logging was set to
debugand I would be able to see the request body and the response body (with the secrets masked). With v2,debugdoes not show the request body for the response body. It needs to be set totrace.Expected Behavior
Secrets are masked matching the provided configuration.
Actual Behavior
No secrets are getting masked.
Karate Version
2.0.6
Java Version
21.0.11
Operating System
macOS