-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow safeFields to work with arrays #73
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIUC, this change will always include all error properties in the response. That would be a security vulnerability!
Please rework the patch to ensure that:
- in debug mode, all error properties are sent in the response
- in production mode, only error properties listed in
safeFields
are sent in the response
I think the existing test is mostly covering the first debug-mode case, you will need to add another test to cover the production mode.
Please note that |
From what I'm understanding,
I guess it's rather a minute detail |
This is a good question! Since we want to include save details about errors in the array, I feel it's better to signal to the consumers that the error response is of type |
@shimks I'd like to propose an alternative implementation that leverages Rather than trying to explain it, I figured out it will be faster to implement the changes myself. I added a new commit to your feature branch - see 44fc5fc. Please let me know what do you think about such proposal. |
message: 'The model instance is not valid.', | ||
name: 'ValidationError', | ||
code: 'VALIDATION_ERROR', | ||
details: 'some details', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please notice that for 4xx errors, we always include additional fields beyond safeFields
. If we are going to list individual errors in production (debug=false) mode, then I think we should apply the same rules.
{statusCode: 500, message: 'Internal Server Error'}, | ||
{statusCode: 500, message: 'Internal Server Error'}, | ||
{statusCode: 500, message: 'Internal Server Error'}, | ||
]); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a bit ugly. Before, we would return a short error response:
{
error: {
statusCode: 500,
message: 'Internal Server Error',
},
});
Now we are returning more details, but these details are not really helpful:
{
error: {
statusCode: 500,
message: 'Internal Server Error',
details: [
{statusCode: 500, message: 'Internal Server Error'},
{statusCode: 500, message: 'Internal Server Error'},
{statusCode: 500, message: 'Internal Server Error'},
],
}
}
It may be possible to implement some heuristics to omit these "generic" entries from the output, but don't think it's worth the effort and additional complexity.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Your new commit looks good to me. I can merge if you're ok with the commit as well.
A question on the side, are we able to use const
with lb3 related packages? I recall there being talks of dropping node 4 but I don't remember what came of it.
Yes, we should use
Let's do it! Please squash the commits and preserve information about my (co)authorship. |
@slnode test please |
The downstream test for |
Sure. Just make sure to create the subsequent PR soon, so that we don't have strong-remoting tests failing for too long. |
@shimks I think we should release this change as semver-major, to ensure we don't accidentally break somebody's clients expecting the old format. Thoughts? If we go down that route, then we should also:
The benefit is clear - we won't break any CI builds, because the fix of strong-remoting tests will go hand-in-hand with the upgrade to a newer strong-error-handler version. |
That sounds good to me. I can open the follow up PRs for dropping node 4 (if not done already) and updating to the latest dependencies after I land this one. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
💯
Co-authored-by: Miroslav Bajtos <mbajtoss@gmail.com>
Description
Previously when an array of errors are encountered, full information on the errors was not revealed to the response unless
debug
mode was specifically enabled; even ifsafeFields
was set the properties in it would not show in the response. This PR fixes this.Related issues
Checklist
guide