I test a web application which requires a login. To test the login screen even Cypress shows us a sample code in their documentation.
Much to my regret they don’t mention, neither suggest that password value should not printed out to console.
Let’s stop here and think it through for a second.
The industry has put so much effort on info and app security, so wh?
It is the human being and their behaviour that is the greatest threat to security. If we are sloppy with sensitive information, we leave too many footprints.
So what’s my problem with the sample code that is in the official documentation?
cy.get('input[name=username]').type(username)
cy.get('input[name=password]').type(`${password}{enter}`)
The danger is that the password is clearly displayed in the cypress command log. Yes, this is a security risk.
You store the password in secret, right? (Please, don’t say that your password value is hardcoded! It is passed as an environment variable, right? *)
When testing staging or prod environment, the password value to the test account should not be visible.
And it’s not a big effort to mitigate this. Simply use {log: false}.
cy.get('input[name=password]').type(`${password}{enter}`, {log: false})
There you go!
* Create a cypress.env.json file for local testing
{
"EMAIL": "<local_login_email_value>",
"PASSWORD": "<local_login_password_value>"
}and in the code reference it with Cypress.env('EMAIL') and Cypress.env('PASSWORD').
I do an assertion to see if values have been set with a mind to avoid assertion values being printed out to the command log:
if (typeof testUser.password !== 'string' || !testUser.password) {
expect(testUser.password, 'Login password was set').to.be.a('string').and.not.be.empty;
throw new Error('Missing login password value');
}
Testing Bits Blog 