fix: tighten up error visibility handling (#14606)

Fixes #14377

## Non-public errors were returned from delete and update endpoints

Previously, non-public errors (`500` errors, or errors without
`isPublic: true` and `status`) were returned from the delete and update
endpoint. For security reason, this PR excludes the error messages from
the response.

This aligns bulk endpoints with others (e.g., deleteByID) that already
gate error details through `routeError.ts`.

## Loosen up isPublic check when throwing API error

`APIError` now infers `isPublic` from the status code unless explicitly
provided:
- Non-500 (e.g., 4xx): `isPublic` defaults to `true`.
- 500 or missing status: `isPublic` defaults to `false`.

You can still override by passing a boolean `isPublic` explicitly.
Previously, the only way to mark the error as public was:

`throw new APIError('error message', 401, null ,false)`

which feels unnecessary explicit.

Now, you can do this:

`throw new APIError('error message', 401)`

which previously resulted in `isPublic: false` and now results in
`isPublic: true`.

## Stricter error check in routeError

`routeError` now uses `isErrorPublic(err, config)` to decide whether to
expose the error message. Compared to the old condition (`!config.debug
&& !err.isPublic && status === 500)`, this is a bit stricter and easier
to understand. Errors with `isPublic === false` are now hidden even for
non-500 statuses (previously they were shown).

Author: AlessioGr

packages/payload/src/collections/config/types.ts

@@ -749,6 +749,7 @@ export type BulkOperationResult<TSlug extends CollectionSlug, TSelect extends Se
   docs: TransformCollectionWithSelect<TSlug, TSelect>[]
   errors: {
     id: DataFromCollectionSlug<TSlug>['id']
+    isPublic: boolean
     message: string
   }[]
 }

packages/payload/src/collections/endpoints/delete.ts

@@ -50,6 +50,15 @@ export const deleteHandler: PayloadHandler = async (req) => {
     )
   }
 
+  result.errors = result.errors.map((error) =>
+    error.isPublic
+      ? error
+      : {
+          ...error,
+          message: 'Something went wrong.',
+        },
+  )
+
   const total = result.docs.length + result.errors.length
 
   const message = req.t('error:unableToDeleteCount', {

packages/payload/src/collections/endpoints/update.ts

@@ -56,6 +56,15 @@ export const updateHandler: PayloadHandler = async (req) => {
     )
   }
 
+  result.errors = result.errors.map((error) =>
+    error.isPublic
+      ? error
+      : {
+          ...error,
+          message: 'Something went wrong.',
+        },
+  )
+
   const total = result.docs.length + result.errors.length
   const message = req.t('error:unableToUpdateCount', {
     count: result.errors.length,

packages/payload/src/collections/operations/delete.ts

@@ -22,6 +22,7 @@ import { appendNonTrashedFilter } from '../../utilities/appendNonTrashedFilter.j
 import { checkDocumentLockStatus } from '../../utilities/checkDocumentLockStatus.js'
 import { commitTransaction } from '../../utilities/commitTransaction.js'
 import { initTransaction } from '../../utilities/initTransaction.js'
+import { isErrorPublic } from '../../utilities/isErrorPublic.js'
 import { killTransaction } from '../../utilities/killTransaction.js'
 import { sanitizeSelect } from '../../utilities/sanitizeSelect.js'
 import { deleteCollectionVersions } from '../../versions/deleteCollectionVersions.js'
@@ -138,7 +139,7 @@ export const deleteOperation = async <
       where: fullWhere,
     })
 
-    const errors: { id: number | string; message: string }[] = []
+    const errors: BulkOperationResult<TSlug, TSelect>['errors'] = []
 
     const promises = docs.map(async (doc) => {
       let result
@@ -281,8 +282,11 @@ export const deleteOperation = async <
 
         return result
       } catch (error) {
+        const isPublic = error instanceof Error ? isErrorPublic(error, config) : false
+
         errors.push({
           id: doc.id,
+          isPublic,
           message: error instanceof Error ? error.message : 'Unknown error',
         })
       }

packages/payload/src/collections/operations/update.ts

@@ -23,6 +23,7 @@ import { unlinkTempFiles } from '../../uploads/unlinkTempFiles.js'
 import { appendNonTrashedFilter } from '../../utilities/appendNonTrashedFilter.js'
 import { commitTransaction } from '../../utilities/commitTransaction.js'
 import { initTransaction } from '../../utilities/initTransaction.js'
+import { isErrorPublic } from '../../utilities/isErrorPublic.js'
 import { killTransaction } from '../../utilities/killTransaction.js'
 import { sanitizeSelect } from '../../utilities/sanitizeSelect.js'
 import { buildVersionCollectionFields } from '../../versions/buildCollectionFields.js'
@@ -225,7 +226,7 @@ export const updateOperation = async <
       throwOnMissingFile: false,
     })
 
-    const errors: { id: number | string; message: string }[] = []
+    const errors: BulkOperationResult<TSlug, TSelect>['errors'] = []
 
     const promises = docs.map(async (docWithLocales) => {
       const { id } = docWithLocales
@@ -265,8 +266,11 @@ export const updateOperation = async <
 
         return updatedDoc
       } catch (error) {
+        const isPublic = error instanceof Error ? isErrorPublic(error, config) : false
+
         errors.push({
           id,
+          isPublic,
           message: error instanceof Error ? error.message : 'Unknown error',
         })
       }

packages/payload/src/errors/APIError.ts

@@ -47,8 +47,13 @@ export class APIError<
     message: string,
     status: number = httpStatus.INTERNAL_SERVER_ERROR,
     data: TData = null!,
-    isPublic = false,
+    isPublic?: boolean,
   ) {
-    super(message, status, data, isPublic)
+    super(
+      message,
+      status,
+      data,
+      typeof isPublic === 'boolean' ? isPublic : status !== httpStatus.INTERNAL_SERVER_ERROR,
+    )
   }
 }

packages/payload/src/utilities/isErrorPublic.ts

@@ -0,0 +1,30 @@
+import { status as httpStatus } from 'http-status'
+
+import type { SanitizedConfig } from '../config/types.js'
+
+type PayloadError = {
+  isPublic?: boolean
+  status?: number
+} & Error
+
+/**
+ * Determines if an error should be shown to the user.
+ */
+export function isErrorPublic(error: Error, config: SanitizedConfig) {
+  const payloadError = error as PayloadError
+
+  if (config.debug) {
+    return true
+  }
+  if (payloadError.isPublic === true) {
+    return true
+  }
+  if (payloadError.isPublic === false) {
+    return false
+  }
+  if (payloadError.status && payloadError.status !== httpStatus.INTERNAL_SERVER_ERROR) {
+    return true
+  }
+
+  return false
+}

packages/payload/src/utilities/routeError.ts

@@ -8,6 +8,7 @@ import { APIError } from '../errors/APIError.js'
 import { getPayload } from '../index.js'
 import { formatErrors } from './formatErrors.js'
 import { headersWithCors } from './headersWithCors.js'
+import { isErrorPublic } from './isErrorPublic.js'
 import { logError } from './logError.js'
 import { mergeHeaders } from './mergeHeaders.js'
 
@@ -68,7 +69,7 @@ export const routeError = async ({
 
   // Internal server errors can contain anything, including potentially sensitive data.
   // Therefore, error details will be hidden from the response unless `config.debug` is `true`
-  if (!config.debug && !err.isPublic && status === httpStatus.INTERNAL_SERVER_ERROR) {
+  if (!isErrorPublic(err, config)) {
     response = formatErrors(new APIError('Something went wrong.'))
   }
 

packages/ui/src/elements/Table/index.tsx

@@ -41,26 +41,29 @@ export const Table: React.FC<Props> = ({ appearance, BeforeTable, columns, data
         </thead>
         <tbody>
           {data &&
-            data?.map((row, rowIndex) => (
-              <tr
-                className={`row-${rowIndex + 1}`}
-                key={
-                  typeof row.id === 'string' || typeof row.id === 'number'
-                    ? String(row.id)
-                    : rowIndex
-                }
-              >
-                {activeColumns.map((col, colIndex) => {
-                  const { accessor } = col
+            data?.map((row, rowIndex) => {
+              return (
+                <tr
+                  className={`row-${rowIndex + 1}`}
+                  data-id={row.id}
+                  key={
+                    typeof row.id === 'string' || typeof row.id === 'number'
+                      ? String(row.id)
+                      : rowIndex
+                  }
+                >
+                  {activeColumns.map((col, colIndex) => {
+                    const { accessor } = col
 
-                  return (
-                    <td className={`cell-${accessor.replace(/\./g, '__')}`} key={colIndex}>
-                      {col.renderedCells[rowIndex]}
-                    </td>
-                  )
-                })}
-              </tr>
-            ))}
+                    return (
+                      <td className={`cell-${accessor.replace(/\./g, '__')}`} key={colIndex}>
+                        {col.renderedCells[rowIndex]}
+                      </td>
+                    )
+                  })}
+                </tr>
+              )
+            })}
         </tbody>
       </table>
     </div>

test/buildConfigWithDefaults.ts

@@ -131,22 +131,24 @@ export async function buildConfigWithDefaults(
       ],
     }),
     email: testEmailAdapter,
-    endpoints: [localAPIEndpoint, reInitEndpoint],
     secret: 'TEST_SECRET',
     sharp,
     telemetry: false,
     ...testConfig,
+    endpoints: [localAPIEndpoint, reInitEndpoint, ...(testConfig?.endpoints || [])],
     i18n: {
       supportedLanguages: {
         de,
         en,
         es,
+        ...(testConfig?.i18n?.supportedLanguages || {}),
       },
       ...(testConfig?.i18n || {}),
     },
     typescript: {
       declare: {
         ignoreTSError: true,
+        ...(testConfig?.typescript?.declare || {}),
       },
       ...testConfig?.typescript,
     },