Clean up Error Handler

[arb]

The current error handler spits back the entire Joi validation message which could be a pretty bad information leak as it contains the entire object.

The hapi response looks something like this:

{
  "statusCode": 400,
  "error": "Bad Request",
  "message": "child \"name\" fails because [\"name\" is not allowed to be empty]",
  "validation": {
    "source": "payload",
    "keys": [
      "name"
    ]
  }
}

[gonenduk]

I use Celebrate (Joi) to validate the endpoints input and Boom (made by the same person who made Joi) to report errors. With boom, the error information is not the error output. It has a special output.payload sub object which you send back to the client, while the rest of the info is for your own use (like writing to log files). I make sure to throw only Boom errors in my code, however Joi and system errors are not.. so my API error handler look like:

(err, req, res, next) => {
    const errPayload = Boom.wrap(err, err.isJoi ? 400 : 500).output.payload;
    if (errPayload.statusCode == 500) {
      logger.error(err.stack);
    }
    res.status(errPayload.statusCode).json(errPayload);
  }

In the code, I convert all errors to Boom errors (only if they are not ones already) and add the right status. Then I return the error output payload.

[arb]

Yeah that's a fine way to do it. In your case, using your own error handler would probably be the way to go as I'm not planning on introducing boom into this module. This bug is for specifically Celebrate.errors() which leaks the entire validated object back to the client.

I'll probably just end up copying what hapi does when it formats joi errors.

[arb]

After reviewing this, I've removed the bug label. Worse case scenario is the client gets back the sent object which they've already got. So no big deal.