New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG: Exception handling differs depending on "trigger point" #3159
Comments
`InvalidHashException` should declare `400` as it's default status code (not the inherited `500` it has now), as that is clearly a case of a "bad request". See neos#3159
Scenarios
Possible solutionsChange configurationTo supress the writing of trace files, the following settings can be used: Neos:
Flow:
error:
exceptionHandler:
renderingGroups:
invalidHashExceptions:
matchingExceptionClassNames: ['Neos\Flow\Security\Exception\InvalidHashException']
options:
logException: false
viewOptions:
templatePathAndFilename: 'resource://Neos.Flow/Private/Templates/Error/Default.html'
variables:
errorDescription: 'Sorry, the HMAC you submitted was not valid.' Make
|
es, this looks annyoing, good that you take it on. I would definitely like to get sensible status codes and less logging if possible. |
Ok, the status code is done now. ✅ As far as the logging goes, I just realized we could disable logging of the exception (trace) for When it comes to "properly handling" this for the users in a visible way (as if you had entered wrong credentials): This should not happen if you just use the system without poking around in the internals (HMACS, …). Plus, if the referrer is tampered with, it cannot be used. So, I guess that can be left as it is. 🤷 |
That would be the solution I've dreamed from when I initially reported this issue, as it then would not fill up disks with irrelevant traces when some bot (again) tries to fumble around with the login form for the Neos backend. So, if I'm allowed to "vote": +1 from my side. |
This configures an `invalidHashExceptions` exception handler rendering group and configures it to not dump stack traces in `Production` context. For `Development` context stack traces are still written to ease debugging. See neos#3159
This configures a `noStacktraceExceptionGroup` exception handler rendering group and configures it to not dump stack traces in `Production` context. For `Development` context stack traces are still written to ease debugging. See neos#3159
This configures a `noStacktraceExceptionGroup` exception handler rendering group and configures it to not dump stack traces in `Production` context. For `Development` context stack traces are still written to ease debugging. The rendering group contains only the `InvalidHashException` for now. See neos#3159
See also neos/flow-development-collection#3159 Resolves: #41
Is there an existing issue for this?
Current Behavior
One example is the handling of login forms:
Other "wrong" requests show the same behaviour, e.g. when changing the controller reference of a POST request.
Expected Behavior
The error shown to the user should be consistent.
Steps To Reproduce
No response
Environment
- Flow: 7.3 & up
Anything else?
It is generally fine that Flow throws an error here. But the Neos backend login that is “tested” quite often, like any other reachable login page on the web, should in my opinion be a bit more resilient to such tampered requests. Showing the user the same or a similar error message like for a failed login would be OK. Optionally just logging this but not writing out exception dumps would be great. Optionally even ignoring that in the logs should be possible.
All the above applies to Production context. Having more verbose output in Development context is wanted/needed, of course.
Related issue from the past: #2681 (and fix in #2685)
The text was updated successfully, but these errors were encountered: