From cd3885f1e20ebadcaa353af87b4a81c375343767 Mon Sep 17 00:00:00 2001 From: Nick Pirocanac Date: Thu, 22 Jan 2026 11:43:44 -0600 Subject: [PATCH] fix: ensure passwords and header tokens come from the environment instead of using hard-coded strings. --- docs/explanation/tea/test-quality-standards.md | 4 ++-- docs/how-to/workflows/run-atdd.md | 2 +- docs/how-to/workflows/run-automate.md | 6 +++--- src/bmm/testarch/knowledge/api-testing-patterns.md | 2 +- src/bmm/testarch/knowledge/component-tdd.md | 4 ++-- src/bmm/testarch/knowledge/data-factories.md | 2 +- src/bmm/testarch/knowledge/nfr-criteria.md | 6 +++--- src/bmm/testarch/knowledge/playwright-config.md | 2 +- src/bmm/testarch/knowledge/selector-resilience.md | 4 ++-- src/bmm/testarch/knowledge/test-levels-framework.md | 2 +- src/bmm/testarch/knowledge/test-quality.md | 10 +++++----- src/bmm/workflows/testarch/atdd/instructions.md | 2 +- 12 files changed, 23 insertions(+), 23 deletions(-) diff --git a/docs/explanation/tea/test-quality-standards.md b/docs/explanation/tea/test-quality-standards.md index da1fdae4..29b4e948 100644 --- a/docs/explanation/tea/test-quality-standards.md +++ b/docs/explanation/tea/test-quality-standards.md @@ -381,7 +381,7 @@ test('complete user flow', async ({ page }) => { test('should register new user', async ({ page }) => { await page.goto('/register'); await page.fill('#email', 'test@example.com'); - await page.fill('#password', 'password123'); + await page.fill('#password', env.goodpassword); await page.click('button[type="submit"]'); await expect(page).toHaveURL('/welcome'); @@ -653,7 +653,7 @@ test('should login with valid credentials and redirect to dashboard', async ({ p await page.goto('/login'); await page.getByLabel('Email').fill('test@example.com'); - await page.getByLabel('Password').fill('password123'); + await page.getByLabel('Password').fill(env.goodpassword); await page.getByRole('button', { name: 'Sign in' }).click(); // Wait for actual API response diff --git a/docs/how-to/workflows/run-atdd.md b/docs/how-to/workflows/run-atdd.md index 9b55ecb3..9d127477 100644 --- a/docs/how-to/workflows/run-atdd.md +++ b/docs/how-to/workflows/run-atdd.md @@ -228,7 +228,7 @@ test('should edit and save profile', async ({ page }) => { // Login first await page.goto('/login'); await page.getByLabel('Email').fill('test@example.com'); - await page.getByLabel('Password').fill('password123'); + await page.getByLabel('Password').fill(env.goodpassword); await page.getByRole('button', { name: 'Sign in' }).click(); // Navigate to profile diff --git a/docs/how-to/workflows/run-automate.md b/docs/how-to/workflows/run-automate.md index 0b48f8f1..ef67d553 100644 --- a/docs/how-to/workflows/run-automate.md +++ b/docs/how-to/workflows/run-automate.md @@ -133,7 +133,7 @@ test.describe('Profile API', () => { test.beforeAll(async ({ request }) => { // Manual auth token fetch const response = await request.post('/api/auth/login', { - data: { email: 'test@example.com', password: 'password123' } + data: { email: 'test@example.com', password: env.goodpassword } }); const { token } = await response.json(); authToken = token; @@ -259,7 +259,7 @@ test('should edit profile', async ({ page }) => { // Login await page.goto('/login'); await page.getByLabel('Email').fill('test@example.com'); - await page.getByLabel('Password').fill('password123'); + await page.getByLabel('Password').fill(env.goodpassword); await page.getByRole('button', { name: 'Sign in' }).click(); // Edit profile @@ -295,7 +295,7 @@ export const test = base.extend({ // Manual login flow await page.goto('/login'); await page.getByLabel('Email').fill('test@example.com'); - await page.getByLabel('Password').fill('password123'); + await page.getByLabel('Password').fill(env.goodpassword); await page.getByRole('button', { name: 'Sign in' }).click(); await page.waitForURL(/\/dashboard/); diff --git a/src/bmm/testarch/knowledge/api-testing-patterns.md b/src/bmm/testarch/knowledge/api-testing-patterns.md index 65c81d7a..fc1cac3c 100644 --- a/src/bmm/testarch/knowledge/api-testing-patterns.md +++ b/src/bmm/testarch/knowledge/api-testing-patterns.md @@ -679,7 +679,7 @@ test.describe('Authenticated API Tests', () => { }); test('should reject expired token', async ({ apiRequest }) => { - const expiredToken = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...'; // Expired token + const expiredToken = env.expiredtoken; // Expired token const { status, body } = await apiRequest({ method: 'GET', diff --git a/src/bmm/testarch/knowledge/component-tdd.md b/src/bmm/testarch/knowledge/component-tdd.md index d14ba8f3..b6e852be 100644 --- a/src/bmm/testarch/knowledge/component-tdd.md +++ b/src/bmm/testarch/knowledge/component-tdd.md @@ -294,7 +294,7 @@ describe('Form Component Accessibility', () => { cy.realPress('Tab'); // cypress-real-events plugin cy.focused().should('have.attr', 'name', 'password'); - cy.focused().type('password123'); + cy.focused().type(env.goodpassword); cy.realPress('Tab'); cy.focused().should('have.attr', 'type', 'submit'); @@ -344,7 +344,7 @@ test.describe('Form Component Accessibility', () => { await expect(component.getByLabel('Password')).toBeFocused(); - await component.getByLabel('Password').fill('password123'); + await component.getByLabel('Password').fill(env.goodpassword); await page.keyboard.press('Tab'); await expect(component.getByRole('button', { name: 'Submit form' })).toBeFocused(); diff --git a/src/bmm/testarch/knowledge/data-factories.md b/src/bmm/testarch/knowledge/data-factories.md index 6820a30d..13ed8b38 100644 --- a/src/bmm/testarch/knowledge/data-factories.md +++ b/src/bmm/testarch/knowledge/data-factories.md @@ -280,7 +280,7 @@ beforeEach(() => { test('user can login', async ({ page }) => { await page.goto('/login'); await page.fill('[data-testid="email"]', 'test@test.com'); // Hardcoded - await page.fill('[data-testid="password"]', 'password123'); // Hardcoded + await page.fill('[data-testid="password"]', env.goodpassword); // Hardcoded await page.click('[data-testid="submit"]'); // What if this user already exists? Test fails in parallel runs. diff --git a/src/bmm/testarch/knowledge/nfr-criteria.md b/src/bmm/testarch/knowledge/nfr-criteria.md index 33d58141..76ad6942 100644 --- a/src/bmm/testarch/knowledge/nfr-criteria.md +++ b/src/bmm/testarch/knowledge/nfr-criteria.md @@ -71,7 +71,7 @@ test.describe('Security NFR: Authentication & Authorization', () => { // Trigger login error await page.goto('/login'); await page.getByLabel('Email').fill('test@example.com'); - await page.getByLabel('Password').fill('WrongPassword123!'); + await page.getByLabel('Password').fill(env.wrongpassword); // Monitor console for password leaks const consoleLogs: string[] = []; @@ -84,8 +84,8 @@ test.describe('Security NFR: Authentication & Authorization', () => { // Verify password NEVER appears in console, DOM, or network const pageContent = await page.content(); - expect(pageContent).not.toContain('WrongPassword123!'); - expect(consoleLogs.join('\n')).not.toContain('WrongPassword123!'); + expect(pageContent).not.toContain(env.wrongpassword); + expect(consoleLogs.join('\n')).not.toContain(env.wrongpassword); }); test('RBAC: users can only access resources they own', async ({ page, request }) => { diff --git a/src/bmm/testarch/knowledge/playwright-config.md b/src/bmm/testarch/knowledge/playwright-config.md index de85f457..f8d2b050 100644 --- a/src/bmm/testarch/knowledge/playwright-config.md +++ b/src/bmm/testarch/knowledge/playwright-config.md @@ -626,7 +626,7 @@ async function globalSetup(config: FullConfig) { // Perform authentication await page.goto('http://localhost:3000/login'); await page.fill('[data-testid="email"]', 'test@example.com'); - await page.fill('[data-testid="password"]', 'password123'); + await page.fill('[data-testid="password"]', env.goodpassword); await page.click('[data-testid="login-button"]'); // Wait for authentication to complete diff --git a/src/bmm/testarch/knowledge/selector-resilience.md b/src/bmm/testarch/knowledge/selector-resilience.md index 06f0b042..e41ae1cd 100644 --- a/src/bmm/testarch/knowledge/selector-resilience.md +++ b/src/bmm/testarch/knowledge/selector-resilience.md @@ -35,7 +35,7 @@ test.describe('Selector Hierarchy Best Practices', () => { // ✅ Best: Dedicated test attribute (survives all UI changes) await page.getByTestId('email-input').fill('user@example.com'); - await page.getByTestId('password-input').fill('password123'); + await page.getByTestId('password-input').fill(env.goodpassword); await page.getByTestId('login-button').click(); await expect(page.getByTestId('welcome-message')).toBeVisible(); @@ -52,7 +52,7 @@ test.describe('Selector Hierarchy Best Practices', () => { // ✅ Good: Semantic HTML roles (benefits accessibility + tests) await page.getByRole('textbox', { name: 'Email' }).fill('user@example.com'); - await page.getByRole('textbox', { name: 'Password' }).fill('password123'); + await page.getByRole('textbox', { name: 'Password' }).fill(env.goodpassword); await page.getByRole('button', { name: 'Sign In' }).click(); await expect(page.getByRole('heading', { name: 'Welcome' })).toBeVisible(); diff --git a/src/bmm/testarch/knowledge/test-levels-framework.md b/src/bmm/testarch/knowledge/test-levels-framework.md index ed3418aa..244af08e 100644 --- a/src/bmm/testarch/knowledge/test-levels-framework.md +++ b/src/bmm/testarch/knowledge/test-levels-framework.md @@ -175,7 +175,7 @@ test.describe('Checkout Flow', () => { // Step 1: Login await page.goto('/login'); await page.fill('[data-testid="email"]', user.email); - await page.fill('[data-testid="password"]', 'password123'); + await page.fill('[data-testid="password"]', env.goodpassword); await page.click('[data-testid="login-button"]'); await loginPromise; diff --git a/src/bmm/testarch/knowledge/test-quality.md b/src/bmm/testarch/knowledge/test-quality.md index ab62d916..5646eddb 100644 --- a/src/bmm/testarch/knowledge/test-quality.md +++ b/src/bmm/testarch/knowledge/test-quality.md @@ -347,7 +347,7 @@ test('complete user journey - TOO LONG', async ({ page, request }) => { await request.post('/api/users', { data: admin }); await page.goto('/login'); await page.fill('[data-testid="email"]', admin.email); - await page.fill('[data-testid="password"]', 'password123'); + await page.fill('[data-testid="password"]', env.goodpassword); await page.click('[data-testid="login"]'); await expect(page).toHaveURL('/dashboard'); @@ -382,7 +382,7 @@ export const test = base.extend({ await page.goto('/login'); await page.fill('[data-testid="email"]', admin.email); - await page.fill('[data-testid="password"]', 'password123'); + await page.fill('[data-testid="password"]', env.goodpassword); await page.click('[data-testid="login"]'); await expect(page).toHaveURL('/dashboard'); @@ -474,8 +474,8 @@ test('user completes order - SLOW (4 min)', async ({ page }) => { // Step 1: Manual signup via UI (90 seconds) await page.goto('/signup'); await page.fill('[data-testid="email"]', 'buyer@example.com'); - await page.fill('[data-testid="password"]', 'password123'); - await page.fill('[data-testid="confirm-password"]', 'password123'); + await page.fill('[data-testid="password"]', env.goodpassword); + await page.fill('[data-testid="confirm-password"]', env.goodpassword); await page.fill('[data-testid="name"]', 'Buyer User'); await page.click('[data-testid="signup"]'); await page.waitForURL('/verify-email'); // Wait for email verification @@ -612,7 +612,7 @@ export default async function globalSetup() { // Login once, save session await page.goto('/login'); await page.fill('[data-testid="email"]', admin.email); - await page.fill('[data-testid="password"]', 'password123'); + await page.fill('[data-testid="password"]', env.goodpassword); await page.click('[data-testid="login"]'); // Save auth state for reuse diff --git a/src/bmm/workflows/testarch/atdd/instructions.md b/src/bmm/workflows/testarch/atdd/instructions.md index aa748905..4411cf2e 100644 --- a/src/bmm/workflows/testarch/atdd/instructions.md +++ b/src/bmm/workflows/testarch/atdd/instructions.md @@ -428,7 +428,7 @@ Generates failing acceptance tests BEFORE implementation following TDD's red-gre const user = await createUser(); await page.goto('/login'); await page.fill('[data-testid="email"]', user.email); - await page.fill('[data-testid="password"]', 'password123'); + await page.fill('[data-testid="password"]', env.goodpassword); await page.click('[data-testid="login-button"]'); await page.waitForURL('/dashboard');