I'm working with the Google Drive API via the Google Drive Ruby gem and using VCR to record requests.
I'm authenticating via JWT under the hood, and want to filter out both the JWT request and the bearer token which gets returned.
As I don't know either the JWT token or the Bearer token which Google gives me at runtime, I can't use filter_sensitive_data. As a result, I've got the following mess of code to filter after the tests run in order to sanitise my cassettes:
after(:each) do |example|
# Filter out JWT and bearer tokens from requests
if VCR.current_cassette.recording?
interactions = VCR.current_cassette.new_recorded_interactions
# Remove JWT token
interactions.first.request.body.gsub! /(?<=assertion\=).*/, '<JWT_TOKEN>'
# Get and replace access token from body
body = JSON.parse(interactions.first.response.body)
access_token = body['access_token']
body['access_token'] = '<ACCESS_TOKEN>'
interactions.first.response.body = body.to_json
# Replace access token in each auth request
interactions.drop(1).each do |i|
i.request.headers['Authorization'][0].gsub!(access_token, '<BEARER_TOKEN>')
end
end
end
My question is a two parter really - 1) is there another way to do this?; and 2) is this even necessary at all? Thoughts appreciated!
I used filter_sensitive_data and came up with this:
VCR.configure do |config|
config.filter_sensitive_data('<BEARER_TOKEN>') { |interaction|
auths = interaction.request.headers['Authorization'].first
if (match = auths.match /^Bearer\s+([^,\s]+)/ )
match.captures.first
end
}
end
When I test, the auth header inside the cassette looks like:
Authorization:
- Bearer <BEARER_TOKEN>
Notable assumptions: