topic Re: Token visible in Javascript in Automations

Token visible in Javascript

henk_stobbe — Tue, 11 Jun 2024 11:44:41 GMT

Hello All,

I notice you can see the value of a token when used in Javascript, I assume that this is inherent to the used implementation? Or will there be an improvement?

KR Henk

Re: Token visible in Javascript

christian_kreuz — Tue, 11 Jun 2024 12:50:34 GMT

Hi! In the screenshot, you're seeing the Result tab of a "run_javascript" task. Most likely, the token is returned as part of this task. You can investigate and change this by editing the Workflow, and looking at the "Run JavaScript" task in question, which probably looks something like this:

// optional import of sdk modules import { execution } from '@dynatrace-sdk/automation-utils'; export default async function ({ execution_id }) { // your code goes here const token = "1234"; const scope = "SCOPE"; // do something return { token: token, scope: scope }; }

edit: now if you're asking whether you can mask this token, that's a no for now. What you could however do instead is store the token using secrets in App-Settings or Dynatrace Credential Vault.

Re: Token visible in Javascript

henk_stobbe — Tue, 11 Jun 2024 12:51:12 GMT

Hi Christian,

Sorry, it is returned by below code in the task:

tokenCredentials = await credentialVaultClient.getCredentialsDetails({
id: 'CREDENTIALS_VAULT-04B79924E62A26F3',

So I was thinking it is the real token value

KR Henk

Re: Token visible in Javascript

christian_kreuz — Tue, 11 Jun 2024 12:55:24 GMT

Now I see 🙂 The Run JavaScript task is doing exactly what you tell it to do, which, in this case, is returning the full response of getCredentialsDetails from credentialVaultClient.

I suppose you want to use the token returned in a follow-up task?

Re: Token visible in Javascript

henk_stobbe — Tue, 11 Jun 2024 13:06:30 GMT

Absolutely,

So in simple terms, next step would be a POST request using this credential.

My main concern was that I can see the token used in the script, so this would be a security risk as anybody who can see the workflow can possibly see and copy the token?

See my token definition:

KR Henk

Re: Token visible in Javascript

christian_kreuz — Tue, 11 Jun 2024 13:11:15 GMT

Yes, that's all correct. Don't return the token. Support for using credentials/secrets in a secure way is on the roadmap, as far as I know. For the time being,

For the time being, you can use fetch in the Run JavaScript action like this:

Re: Token visible in Javascript

henk_stobbe — Tue, 11 Jun 2024 13:16:16 GMT

Cool thx Christain!

Re: Token visible in Javascript

kuncarlos — Wed, 21 May 2025 13:00:56 GMT

Hi, is this solution also valid for Managed?

Re: Token visible in Javascript

christian_kreuz — Wed, 21 May 2025 13:33:15 GMT

Hi!

No, it's only for SaaS, with DPS.