From e570b168e7020267682f570c7c40b947dae658b2 Mon Sep 17 00:00:00 2001
From: Steve Hu <stevehu@gmail.com>
Date: Fri, 17 Mar 2023 22:36:14 -0400
Subject: [PATCH] fixes #1662 update status.yml to add showMessage,
 showDescription and showMetadata flags

---
 config/src/main/resources/config/config.yml   |  1 -
 .../java/com/networknt/status/Status.java     |  2 +-
 status/src/main/resources/config/status.yml   | 21 ++++++++++++++++++-
 3 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/config/src/main/resources/config/config.yml b/config/src/main/resources/config/config.yml
index 710e29e229..65fbaf903c 100644
--- a/config/src/main/resources/config/config.yml
+++ b/config/src/main/resources/config/config.yml
@@ -14,7 +14,6 @@
 exclusionConfigFileList:
   - openapi
   - values
-  - status
 
 decryptorClass: com.networknt.decrypt.AESDecryptor
 #  com.networknt.decrypt.ManualAESDecryptor
diff --git a/status/src/main/java/com/networknt/status/Status.java b/status/src/main/java/com/networknt/status/Status.java
index d9e8d3c080..f3e1e2ab43 100644
--- a/status/src/main/java/com/networknt/status/Status.java
+++ b/status/src/main/java/com/networknt/status/Status.java
@@ -311,7 +311,7 @@ public static void reload() {
      * status before customizing it. There are several organizations that have their own customized
      * wrapper to translate the status code to something else in order to hide the real error message
      * for security reasons.
-     * @return
+     * @return a map of config entries
      */
     public static Map<String, Object> getConfig() {
         return config;
diff --git a/status/src/main/resources/config/status.yml b/status/src/main/resources/config/status.yml
index 6611b06544..a749fb7b2b 100644
--- a/status/src/main/resources/config/status.yml
+++ b/status/src/main/resources/config/status.yml
@@ -1,4 +1,23 @@
----
+# To control show or hide message field in the following error. Some organizations do not want to expose
+# the error message to allow the hackers to guess how the server is doing with invalid requests.
+showMessage: ${status.showMessage:true}
+# To control show or hide description field in the following error. Some organizations do not want to expose
+# the error description to allow the hackers to guess how the server is doing with invalid requests.
+showDescription: ${status.showDescription:true}
+# To control show or hide metadata field in the error. Light-4j default status code does not have metadata
+# defined as below. However, user defined error could have metadata that is a JSON object. If you do not want
+# to expose the error metadata to allow the hackers to guess how the server is doing with invalid requests, you
+# can turn it off with is flag. Here is an example of metadata in YAML format
+# ERR10000:
+#   statusCode: 401
+#   code: ERR10000
+#   message: INVALID_AUTH_TOKEN
+#   description: Incorrect signature or malformed token in authorization header
+#   metadata:
+#     link: https://lightapi.net/error/ERR10000
+showMetadata: ${status.showMetadata:true}
+
+# The rest of the content is the built-in error code of light-4j platform.
 SUC10200:
   statusCode: 200
   code: SUC10200