ldy26098
/
BMAD-METHOD
mirror of https://github.com/bmad-code-org/BMAD-METHOD.git
1
0
Fork 0
Code Packages Projects Releases Wiki Activity

fix: ensure passwords and header tokens come from the environment instead of using hard-coded strings.

This commit is contained in:
Nick Pirocanac 2026-01-22 11:43:44 -06:00
parent 9b9f43fcb9
commit cd3885f1e2
12 changed files with 23 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/explanation/tea/test-quality-standards.md
View File

@ -381,7 +381,7 @@ test('complete user flow', async ({ page }) => {
test('should register new user', async ({ page }) => {
await page.goto('/register');
await page.fill('#email', 'test@example.com');
await page.fill('#password', 'password123');
await page.fill('#password', env.goodpassword);
await page.click('button[type="submit"]');
await expect(page).toHaveURL('/welcome');
@ -653,7 +653,7 @@ test('should login with valid credentials and redirect to dashboard', async ({ p
await page.goto('/login');
await page.getByLabel('Email').fill('test@example.com');
await page.getByLabel('Password').fill('password123');
await page.getByLabel('Password').fill(env.goodpassword);
await page.getByRole('button', { name: 'Sign in' }).click();
// Wait for actual API response

2
docs/how-to/workflows/run-atdd.md
View File

@ -228,7 +228,7 @@ test('should edit and save profile', async ({ page }) => {
// Login first
await page.goto('/login');
await page.getByLabel('Email').fill('test@example.com');
await page.getByLabel('Password').fill('password123');
await page.getByLabel('Password').fill(env.goodpassword);
await page.getByRole('button', { name: 'Sign in' }).click();
// Navigate to profile

6
docs/how-to/workflows/run-automate.md
View File

@ -133,7 +133,7 @@ test.describe('Profile API', () => {
test.beforeAll(async ({ request }) => {
// Manual auth token fetch
const response = await request.post('/api/auth/login', {
data: { email: 'test@example.com', password: 'password123' }
data: { email: 'test@example.com', password: env.goodpassword }
});
const { token } = await response.json();
authToken = token;
@ -259,7 +259,7 @@ test('should edit profile', async ({ page }) => {
// Login
await page.goto('/login');
await page.getByLabel('Email').fill('test@example.com');
await page.getByLabel('Password').fill('password123');
await page.getByLabel('Password').fill(env.goodpassword);
await page.getByRole('button', { name: 'Sign in' }).click();
// Edit profile
@ -295,7 +295,7 @@ export const test = base.extend<ProfileFixtures>({
// Manual login flow
await page.goto('/login');
await page.getByLabel('Email').fill('test@example.com');
await page.getByLabel('Password').fill('password123');
await page.getByLabel('Password').fill(env.goodpassword);
await page.getByRole('button', { name: 'Sign in' }).click();
await page.waitForURL(/\/dashboard/);

2
src/bmm/testarch/knowledge/api-testing-patterns.md
View File

@ -679,7 +679,7 @@ test.describe('Authenticated API Tests', () => {
});
test('should reject expired token', async ({ apiRequest }) => {
const expiredToken = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...'; // Expired token
const expiredToken = env.expiredtoken; // Expired token
const { status, body } = await apiRequest({
method: 'GET',

4
src/bmm/testarch/knowledge/component-tdd.md
View File

@ -294,7 +294,7 @@ describe('Form Component Accessibility', () => {
cy.realPress('Tab'); // cypress-real-events plugin
cy.focused().should('have.attr', 'name', 'password');
cy.focused().type('password123');
cy.focused().type(env.goodpassword);
cy.realPress('Tab');
cy.focused().should('have.attr', 'type', 'submit');
@ -344,7 +344,7 @@ test.describe('Form Component Accessibility', () => {
await expect(component.getByLabel('Password')).toBeFocused();
await component.getByLabel('Password').fill('password123');
await component.getByLabel('Password').fill(env.goodpassword);
await page.keyboard.press('Tab');
await expect(component.getByRole('button', { name: 'Submit form' })).toBeFocused();

2
src/bmm/testarch/knowledge/data-factories.md
View File

@ -280,7 +280,7 @@ beforeEach(() => {
test('user can login', async ({ page }) => {
await page.goto('/login');
await page.fill('[data-testid="email"]', 'test@test.com'); // Hardcoded
await page.fill('[data-testid="password"]', 'password123'); // Hardcoded
await page.fill('[data-testid="password"]', env.goodpassword); // Hardcoded
await page.click('[data-testid="submit"]');
// What if this user already exists? Test fails in parallel runs.

6
src/bmm/testarch/knowledge/nfr-criteria.md
View File

@ -71,7 +71,7 @@ test.describe('Security NFR: Authentication & Authorization', () => {
// Trigger login error
await page.goto('/login');
await page.getByLabel('Email').fill('test@example.com');
await page.getByLabel('Password').fill('WrongPassword123!');
await page.getByLabel('Password').fill(env.wrongpassword);
// Monitor console for password leaks
const consoleLogs: string[] = [];
@ -84,8 +84,8 @@ test.describe('Security NFR: Authentication & Authorization', () => {
// Verify password NEVER appears in console, DOM, or network
const pageContent = await page.content();
expect(pageContent).not.toContain('WrongPassword123!');
expect(consoleLogs.join('\n')).not.toContain('WrongPassword123!');
expect(pageContent).not.toContain(env.wrongpassword);
expect(consoleLogs.join('\n')).not.toContain(env.wrongpassword);
});
test('RBAC: users can only access resources they own', async ({ page, request }) => {

2
src/bmm/testarch/knowledge/playwright-config.md
View File

@ -626,7 +626,7 @@ async function globalSetup(config: FullConfig) {
// Perform authentication
await page.goto('http://localhost:3000/login');
await page.fill('[data-testid="email"]', 'test@example.com');
await page.fill('[data-testid="password"]', 'password123');
await page.fill('[data-testid="password"]', env.goodpassword);
await page.click('[data-testid="login-button"]');
// Wait for authentication to complete

4
src/bmm/testarch/knowledge/selector-resilience.md
View File

@ -35,7 +35,7 @@ test.describe('Selector Hierarchy Best Practices', () => {
// ✅ Best: Dedicated test attribute (survives all UI changes)
await page.getByTestId('email-input').fill('user@example.com');
await page.getByTestId('password-input').fill('password123');
await page.getByTestId('password-input').fill(env.goodpassword);
await page.getByTestId('login-button').click();
await expect(page.getByTestId('welcome-message')).toBeVisible();
@ -52,7 +52,7 @@ test.describe('Selector Hierarchy Best Practices', () => {
// ✅ Good: Semantic HTML roles (benefits accessibility + tests)
await page.getByRole('textbox', { name: 'Email' }).fill('user@example.com');
await page.getByRole('textbox', { name: 'Password' }).fill('password123');
await page.getByRole('textbox', { name: 'Password' }).fill(env.goodpassword);
await page.getByRole('button', { name: 'Sign In' }).click();
await expect(page.getByRole('heading', { name: 'Welcome' })).toBeVisible();

2
src/bmm/testarch/knowledge/test-levels-framework.md
View File

@ -175,7 +175,7 @@ test.describe('Checkout Flow', () => {
// Step 1: Login
await page.goto('/login');
await page.fill('[data-testid="email"]', user.email);
await page.fill('[data-testid="password"]', 'password123');
await page.fill('[data-testid="password"]', env.goodpassword);
await page.click('[data-testid="login-button"]');
await loginPromise;

10
src/bmm/testarch/knowledge/test-quality.md
View File

@ -347,7 +347,7 @@ test('complete user journey - TOO LONG', async ({ page, request }) => {
await request.post('/api/users', { data: admin });
await page.goto('/login');
await page.fill('[data-testid="email"]', admin.email);
await page.fill('[data-testid="password"]', 'password123');
await page.fill('[data-testid="password"]', env.goodpassword);
await page.click('[data-testid="login"]');
await expect(page).toHaveURL('/dashboard');
@ -382,7 +382,7 @@ export const test = base.extend({
await page.goto('/login');
await page.fill('[data-testid="email"]', admin.email);
await page.fill('[data-testid="password"]', 'password123');
await page.fill('[data-testid="password"]', env.goodpassword);
await page.click('[data-testid="login"]');
await expect(page).toHaveURL('/dashboard');
@ -474,8 +474,8 @@ test('user completes order - SLOW (4 min)', async ({ page }) => {
// Step 1: Manual signup via UI (90 seconds)
await page.goto('/signup');
await page.fill('[data-testid="email"]', 'buyer@example.com');
await page.fill('[data-testid="password"]', 'password123');
await page.fill('[data-testid="confirm-password"]', 'password123');
await page.fill('[data-testid="password"]', env.goodpassword);
await page.fill('[data-testid="confirm-password"]', env.goodpassword);
await page.fill('[data-testid="name"]', 'Buyer User');
await page.click('[data-testid="signup"]');
await page.waitForURL('/verify-email'); // Wait for email verification
@ -612,7 +612,7 @@ export default async function globalSetup() {
// Login once, save session
await page.goto('/login');
await page.fill('[data-testid="email"]', admin.email);
await page.fill('[data-testid="password"]', 'password123');
await page.fill('[data-testid="password"]', env.goodpassword);
await page.click('[data-testid="login"]');
// Save auth state for reuse

2
src/bmm/workflows/testarch/atdd/instructions.md
View File

@ -428,7 +428,7 @@ Generates failing acceptance tests BEFORE implementation following TDD's red-gre
const user = await createUser();
await page.goto('/login');
await page.fill('[data-testid="email"]', user.email);
await page.fill('[data-testid="password"]', 'password123');
await page.fill('[data-testid="password"]', env.goodpassword);
await page.click('[data-testid="login-button"]');
await page.waitForURL('/dashboard');