fix(server): Hide internal server error messages from the client in p…

…roduction Closes: enisdenjo#31
ilijaNL · Oct 20, 2020 · 36fe405 · 36fe405
1 parent 50a7e0f
commit 36fe405
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/src/server.ts b/src/server.ts
@@ -220,6 +220,8 @@ export function createServer(
   options: ServerOptions,
   websocketOptionsOrServer: WebSocketServerOptions | WebSocketServer,
 ): Server {
+  const isProd = process.env.NODE_ENV === 'production';
+
   const {
     schema,
     context,
@@ -315,9 +317,11 @@ export function createServer(
       }
 
       if (isErrorEvent(errorOrClose)) {
-        // TODO-db-200805 leaking sensitive information by sending the error message too?
         // 1011: Internal Error
-        ctxRef.current.socket.close(1011, errorOrClose.message);
+        ctxRef.current.socket.close(
+          1011,
+          isProd ? 'Internal Error' : errorOrClose.message,
+        );
       }
 
       Object.entries(ctxRef.current.subscriptions).forEach(