From 83a7d82a4010eeaed14474e6394c9f0156e5c86c Mon Sep 17 00:00:00 2001
From: Darshana Peiris
 <darshana@ip-192-168-64-160.eu-central-1.compute.internal>
Date: Mon, 29 Mar 2021 11:10:32 +0530
Subject: [PATCH] Fix passing secrets to OAuth & Basic Auth:

'setBasicAuth' & 'getOAuthAccessToken' were not using 'replaceVars'
to interpolate 'envVars'. Added the 'replaceVars' to interpolate secrets before sending the request.
---
 src/world.js | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/world.js b/src/world.js
index fd00da2..a19746a 100644
--- a/src/world.js
+++ b/src/world.js
@@ -167,7 +167,9 @@ class World {
     }
 
     async setBasicAuth(credentials) {
-        const { username, password } = credentials;
+        const secretCredentials = this.replaceVars(credentials);
+
+        const { username, password } = secretCredentials;
         const agent = this.currentAgent;
         const encodedCredentials = Buffer.from(`${username}:${password}`).toString('base64');
         agent.set('Authorization', `Basic ${encodedCredentials}`);
@@ -181,13 +183,15 @@ class World {
     async getOAuthAccessToken(url, credentials) {
         const agent = this.currentAgent;
 
+        const secretCredentials = this.replaceVars(credentials);
+
         // do an oauth2 login
         // only set the bearer token once on the agent
         if (!agent._bat.bearer) {
             const res = await agent
                 .post(this.baseUrl + this.replaceVars(url))
                 .type('form')
-                .send(credentials);
+                .send(secretCredentials);
 
             // get the access token from the response body
             const getAccessToken = body => body.accessToken || body.access_token;