cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Token visible in Javascript

henk_stobbe
DynaMight Champion
DynaMight Champion

Hello All,

 

I notice you can see the value of a token when used in Javascript, I assume that this is inherent to the used implementation? Or will there be an improvement?

KR Henk

 

henk_stobbe_0-1718106034452.png

6 REPLIES 6

christian_kreuz
Dynatrace Enthusiast
Dynatrace Enthusiast

Hi! In the screenshot, you're seeing the Result tab of a "run_javascript" task. Most likely, the token is returned as part of this task. You can investigate and change this by editing the Workflow, and looking at the "Run JavaScript" task in question, which probably looks something like this:

 

// optional import of sdk modules
import { execution } from '@dynatrace-sdk/automation-utils';

export default async function ({ execution_id }) {
  // your code goes here
  const token = "1234";
  const scope = "SCOPE";

  // do something
  
  return { token: token, scope: scope };
}

 

edit: now if you're asking whether you can mask this token, that's a no for now. What you could however do instead is store the token using secrets in App-Settings or Dynatrace Credential Vault.

 

Hi Christian,

Sorry, it is returned by below code in the task:

tokenCredentials = await credentialVaultClient.getCredentialsDetails({
id: 'CREDENTIALS_VAULT-04B79924E62A26F3',

So I was thinking it is the real token value

KR Henk

Now I see 🙂 The Run JavaScript task is doing exactly what you tell it to do, which, in this case, is returning the full response of getCredentialsDetails from credentialVaultClient.

I suppose you want to use the token returned in a follow-up task?

Absolutely, 

So in simple terms, next step would be a POST request using this credential.

My main concern was that I can see the token used in the script, so this would be a security risk as anybody who can see the workflow can possibly see and copy the token?

See my token definition:

henk_stobbe_0-1718111154228.png

KR Henk

Yes, that's all correct. Don't return the token. Support for using credentials/secrets in a secure way is on the roadmap, as far as I know. For the time being,

For the time being, you can use fetch in the Run JavaScript action like this:

  const token = await credentialVaultClient.getCredentialsDetails({
    id: "CREDENTIALS_VAULT-ABCD1234",
  }).then((credentials)=> credentials.token);

  const url = "https://....";

  const response = await fetch(url, {
    method: 'GET',
    headers: {
      'Authorization': `Bearer ${token}`
    }
  ).then(response => response.json());

Cool thx Christain!

Featured Posts