Indicate shared secret mismatch only when debugging.

Co-authored-by: Barret Schloerke <barret@rstudio.com>
rstudio · Jun 4, 2021 · e467824 · e467824
1 parent bacf6ea
commit e467824
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 3 deletions.
diff --git a/R/shared-secret-filter.R b/R/shared-secret-filter.R
@@ -7,7 +7,14 @@ sharedSecretFilter <- function(req, res){
       res$status <- 400
       # Force the route to return as unboxed json
       res$serializer <- serializer_unboxed_json()
-      return(list(error = "Shared secret mismatch."))
+      # Using output similar to `defaultErrorHandler()`
+      li <- list(error = "400 - Bad request")
+
+      # Don't overly leak data unless they opt-in
+      if (is.function(req$pr$getDebug) && isTRUE(req$pr$getDebug())) {
+        li$message <- "Shared secret mismatch"
+      }
+      return(li)
     }
   }
 

diff --git a/tests/testthat/test-shared-secret.R b/tests/testthat/test-shared-secret.R
@@ -5,13 +5,23 @@ test_that("requests with shared secrets pass, w/o fail", {
 
   pr <- pr()
   pr$handle("GET", "/", function(){ 123 })
+  req <- make_req("GET", "/", pr = pr)
 
   # No shared secret
-  req <- make_req("GET", "/")
   res <- PlumberResponse$new()
   output <- pr$route(req, res)
   expect_equal(res$status, 400)
-  expect_equal(output, list(error = "Shared secret mismatch."))
+  expect_equal(output, list(error = "400 - Bad request"))
+
+  # When debugging, we get additional details in the error.
+  pr$setDebug(TRUE)
+  res <- PlumberResponse$new()
+  output <- pr$route(req, res)
+  expect_equal(res$status, 400)
+  expect_equal(output, list(
+    error = "400 - Bad request",
+    message = "Shared secret mismatch"))
+  pr$setDebug(FALSE)
 
   # Set shared secret
   assign("HTTP_PLUMBER_SHARED_SECRET", "abcdefg", envir=req)