From 44478bce84bb3be2825aa43589021b37a979567d Mon Sep 17 00:00:00 2001
From: David Newell <d.newell1@outlook.com>
Date: Fri, 9 Aug 2024 09:43:10 +0100
Subject: [PATCH] chore: make password capture more explicit (#1345)

---
 .../replay/sessionrecording.test.ts           | 19 +++++++++++++++++++
 src/extensions/replay/sessionrecording.ts     | 11 ++++++++---
 src/posthog-core.ts                           |  2 +-
 3 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/src/__tests__/extensions/replay/sessionrecording.test.ts b/src/__tests__/extensions/replay/sessionrecording.test.ts
index f068d5075..f6f0b0d0f 100644
--- a/src/__tests__/extensions/replay/sessionrecording.test.ts
+++ b/src/__tests__/extensions/replay/sessionrecording.test.ts
@@ -22,6 +22,7 @@ import {
     PostHogConfig,
     Property,
     SessionIdChangedCallback,
+    SessionRecordingOptions,
 } from '../../../types'
 import { uuidv7 } from '../../../uuidv7'
 import {
@@ -663,6 +664,24 @@ describe('SessionRecording', () => {
             })
         })
 
+        describe('capturing passwords', () => {
+            it.each([
+                ['no masking options', {} as SessionRecordingOptions, true],
+                ['empty masking options', { maskInputOptions: {} } as SessionRecordingOptions, true],
+                ['password not set', { maskInputOptions: { input: true } } as SessionRecordingOptions, true],
+                ['password set to true', { maskInputOptions: { password: true } } as SessionRecordingOptions, true],
+                ['password set to false', { maskInputOptions: { password: false } } as SessionRecordingOptions, false],
+            ])('%s', (_name: string, session_recording: SessionRecordingOptions, expected: boolean) => {
+                posthog.config.session_recording = session_recording
+                sessionRecording.startIfEnabledOrStop()
+                expect(assignableWindow.rrweb.record).toHaveBeenCalledWith(
+                    expect.objectContaining({
+                        maskInputOptions: expect.objectContaining({ password: expected }),
+                    })
+                )
+            })
+        })
+
         it('records events emitted before and after starting recording', () => {
             sessionRecording.startIfEnabledOrStop()
             expect(loadScriptMock).toHaveBeenCalled()
diff --git a/src/extensions/replay/sessionrecording.ts b/src/extensions/replay/sessionrecording.ts
index 59700221f..dbad095eb 100644
--- a/src/extensions/replay/sessionrecording.ts
+++ b/src/extensions/replay/sessionrecording.ts
@@ -601,9 +601,14 @@ export class SessionRecording {
         const userSessionRecordingOptions = this.instance.config.session_recording
         for (const [key, value] of Object.entries(userSessionRecordingOptions || {})) {
             if (key in sessionRecordingOptions) {
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore
-                sessionRecordingOptions[key] = value
+                if (key === 'maskInputOptions') {
+                    // ensure password is set if not included
+                    sessionRecordingOptions.maskInputOptions = { password: true, ...value }
+                } else {
+                    // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                    // @ts-ignore
+                    sessionRecordingOptions[key] = value
+                }
             }
         }
 
diff --git a/src/posthog-core.ts b/src/posthog-core.ts
index 61346548e..1e47ff375 100644
--- a/src/posthog-core.ts
+++ b/src/posthog-core.ts
@@ -1713,7 +1713,7 @@ export class PostHog {
      *         blockSelector: null,
      *         ignoreClass: 'ph-ignore-input',
      *         maskAllInputs: true,
-     *         maskInputOptions: {},
+     *         maskInputOptions: {password: true},
      *         maskInputFn: null,
      *         slimDOMOptions: {},
      *         collectFonts: false,