Redacting API keys

[rstacruz]

Is it possible to get API keys out of the .headers files?

They are in .headers files like so:

fixtures/generated/####.headers
{
  "url": "https://api.themoviedb.org:443/3/search/movie?api_key=0a1b2c3d4e5f..."
}

It'd be great if they can be censored out.

[avik-das]

@rstacruz: Sounds doable. The .headers files are only for the response headers, so I actually would consider using a separate tool, like sed, for post-processing these files after they're written but before they're committed to the repo or whatever. But that might be leaking too many implementation details, so I'll probably want to implement an additional filter type.

I'm hoping to spend some time on some much-needed updates to this module over the holidays, but pull requests are always welcome!

[rstacruz]

Neat, are you saying I can modify *.headers files without affecting anything? In fact, can I .gitignore them?

[avik-das]

@rstacruz: You can't .gitignore them. They're used during playback to set the mock response's headers and status code. But if your application can handle a bogus or missing API key, for example, you can transform the file to replace the API key or remove it altogether.

[aneilbaboo]

@avik-das Do you think it's possible to add a feature like Ruby VCR where you can filter sensitive data?

We'd need something like this:

sepia.filterSensitiveData("<MY_API_KEY1>", () => process.env.MY_API_KEY1);
sepia.filterSensitiveData("<MY_API_KEY2>", () => process.env.MY_API_KEY2);
// etc

In record mode, the value returned by the function is replace by the string provided as the first argument.

In playback mode, all strings matching the first argument will be replaced with the value returned by the function.