In my organization, we have a Postman setup for testing our APIs. Part of the process involves manually signing a JWT in a Pre-request script, using jsrasign and the necessary data, including a Jwtsecret key. It has so far simply been declared in plaintext in the pre-request script, and I am trying to move the sensitive data over to the Postman Vault.
The code looks like this, and works just fine:
var jwtSecret = {
"p":"loremipsum",
"kty":"RSA",
"q":"loremipsum",
"e":"AQAB",
"alg":"RS256"
<more key stuff>
}
<other code>
var signedJWTToken = KJUR.jws.JWS.sign(null, header, data, jwtSecret);
So I tried changing it to:
var jwtSecret = pm.vault.get("jwtSecret");
....
var signedJWTToken = KJUR.jws.JWS.sign(null, header, data, jwtSecret);
However, this does not work. The error I get is There was an error in evaluating the Pre-request Script:Error: init failed:TypeError: l.indexOf is not a function
I figured it was not properly parsing the string to a Javascript object, but constructing an object from the JwtSecret did not change the error:
var jwtSecret = pm.vault.get("jwtsecret");
var jwtObject = Object(jwtSecret);
var signedJWTToken = KJUR.jws.JWS.sign(null, header, data, jwtObject);
It also seems very difficult to debug using console.log because of what seems to be built-in sensitive data protection in Postman.
Anyone with know-how can point me in the right direction?
I've resolved the issue now. There were two things I needed to consider: mikee's answer about needing to await the variable, and needing to parse the variable as JSON before I could use it in code.
The solution being:
let jwtSecret = await pm.vault.get("jwtSecret");
let jwtObject = JSON.parse(jwtSecret);
var signedJWTToken = KJUR.jws.JWS.sign(null, header, data, jwtSecret);