4.x Error Middleware

[l0gicgate]

Preface

The original PR #2222 was closed and some of the concepts and code will be implemented in this PR.

Description

This PR eliminates all native error handlers and replaces it with ErrorMiddleware which handles all errors and provides multiple different renderers (HTML, XML, JSON, Plain Text) to enhance error display.

Implementation

use Slim\App;
use Slim\Middleware\ErrorMiddleware;
use Slim\Middleware\RoutingMiddleware;

$app = new App();

/*
 * The routing middleware should be added earlier than the ErrorMiddleware
 * Otherwise exceptions thrown from it will not be handled by the middleware
 */
$routingMiddleware = new RoutingMiddleware($app->getRouter());
$app->add($routingMiddleware);

/*
 * The constructor of `ErrorMiddleware` takes in 4 parameters
 * @param CallableResolverInterface $callableResolver -> Callable Resolver Interface of your choice
 * @param bool $displayErrorDetails -> Should be set to false in production
 * @param bool $logErrors -> Parameter is passed to the default ErrorHandler
 * @param bool $logErrorDetails -> Display error details in error log
 * which can be replaced by a callable of your choice.
 * Note: This middleware should be added last. It will not handle any exceptions/errors
 * for middleware added after it.
 */
$callableResolver = $app->getCallableResolver();
$errorMiddleware = new ErrorMiddleware($callableResolver, true, true, true);
$app->add($errorMiddleware);

...
$app->run();

Adding custom handlers for different named exceptions

...
$callableResolver = $app->getCallableResolver();
$errorMiddleware = new ErrorMiddleware($callableResolver, true, true, true);

$handler = function ($req, $res, $exception, $displayErrorDetails) {
    return $res->withJson(['error' => 'Caught MyNamedException']);
}
$errorMiddleware->setErrorHandler(MyNamedException::class, $handler);
$app->add($errorMiddleware);

Error Logging

If you would like to pipe in custom error logging to the default ErrorHandler that ships with Slim you can simply extend it and stub the logError() method.

namespace MyApp\Handlers;

use Slim\Handlers\ErrorHandler;

class MyErrorHandler extends ErrorHandler {
    public function logError($error)
    {
        // Insert custom error logging function.
    }
}

use MyApp\Handlers\MyErrorHandler;
use Slim\App;
use Slim\Middleware\ErrorMiddleware;

$app = new App();
$callableResolver = $app->getCallableResolver();

$myErrorHandler = new MyErrorHandler(true); // Constructor parameter is $logErrors (bool)
$errorMiddleware = new ErrorMiddleware($callableResolver, true, true, true);
$errorMiddleware->setDefaultErrorHandler($myErrorHandler);
$app->add($errorMiddleware);

...
$app->run();

Error Handling/Rendering

The rendering is finally decoupled from the handling. Everything still works the way it previously did. It will still detect the content-type and render things appropriately with the help of ErrorRenderers. The core ErrorHandler extends the AbstractErrorHandler class which has been completely refactored. By default it will call the appropriate ErrorRenderer for the supported content types. Someone can now provide their custom error renderer by extending the AbstractErrorHandler class and overloading the protected renderer variable from the parent.

class MyCustomErrorRenderer extends \Slim\Handlers\AbstractErrorRenderer
{
    public function render()
    {
        return 'My awesome format';
    }
}

class MyCustomErrorHandler extends \Slim\Handlers\ErrorHandler
{
    protected $renderer = MyCustomErrorRenderer::class;
}

HTTP Exceptions

I just think it makes sense to throw HTTP based exceptions within the application. These exceptions works with nicely with the proposed native renderers. They can each have a description and title attribute as well to provide a bit more insight when the native HTML renderer is invoked.

The base class HttpSpecializedException extends Exception and comes with the following sub classes :

• HttpBadRequestException
• HttpForbiddenException
• HttpInternalServerErrorException
• HttpNotAllowedException
• HttpNotFoundException
• HttpNotImplementedException
• HttpUnauthorizedException

The developer can extend the HttpSpecializedException class if they need any other response codes that we decide not to provide with the base repository. Example if you wanted a 504 gateway timeout exception that behaves like the native ones you would do the following:
I

class HttpForbiddenException extends HttpSpecializedException
{
    protected $code = 504;
    protected $message = 'Gateway Timeout.';
    protected $title = '504 Gateway Timeout';
    protected $description = 'Timed out before receiving response from the upstream server.';
}

Status

Work in progress

• Remove Existing Error Handling
• Implement Error Middleware
• Implement supporting tests
• [X ] Discussion and Code Review.

[coveralls]

Coverage increased (+1.1%) to 96.055% when pulling 8cefb1c on l0gicgate:4.x-ErrorMiddleware into bd6ef95 on slimphp:4.x.

[asheliahut]

Just some thoughts.

[asheliahut]

null === $this->request is better here no overhead of function call.

[asheliahut]

should stay ===

[asheliahut]

you can just return before the else and have this html set as a second return lowering cyclomatic complexity by 1.

[asheliahut]

if someone passes an exception code of 0 this will never execute.

[asheliahut]

if someone sets a message of '0' it also will fail to run.

[asheliahut]

I feel like this error log should also be able to take in an outside error logging, as in be able to take in a logger middleware of some kind.

[akrabat]

In general, I agree. A separate PR after this could allow for handling a PSR3 logger.

[asheliahut]

either-> one of the following

[asheliahut]

=== null

[asheliahut]

!=== null

[asheliahut]

either should be "one of the following"

[l0gicgate]

Thank you @asheliahut for the code review. I'm aware this is a large PR and I really appreciate you going through everything. I have made the suggested changes besides the suggestion you made for the AbstractErrorHandler::logError() method, If people want to implement logging they can simply extend the class and replace the ::logError() method. That's the main reason why I've left it abstract.

[odan]

Use \n instead of PHP_EOL to make integration tests compatible with windows.

[odan]

Add use RuntimeException on top to remove the backslash.

[odan]

There'd be plenty of room to put this statement in one line.
if (($renderer !== null && !class_exists($renderer)) {

[odan]

This extra variable ($e) is not really necessary.

[odan]

What for values can be passed here?

[l0gicgate]

I don't understand your question. Can you clarify?

[odan]

Hi!

I have some questions / ideas about this PR and the error handling in general.

1. If Slim 4 will provide a new Error middleware like in this PR, why do we still need the setErrorHandler() and setDefaultErrorHandler methods in the App class? There should be only one style how to add middleware to the stack and not multiple different methods. This is important, because I want to decide in which order I place my middleware handlers.

2. I don't like the PHP_EOL magic constant because the response will be different on windows/linux. The Response should be exactly the same for all platforms.

[odan]

The name of the middleware ErrorMiddleware implies that it handles PHP errors. But in PHP there is a small difference between Exceptions and Errors. If this middleware handles "only" Exceptions and no "Errors" then the it should be renamed to "ExceptionMiddleware".

The question is how to handle PHP errors (extended from Throwable)? Are you planning a new separate Middleware (e.g. ErrorMiddleware) or a generic "ThrowableMiddleware" for Exceptions and Errors together?

[designermonkey]

Interfaces should not have a constructor as you are limiting the ability to define implementation detail vs defining expected behaviour.

Instead, your methods render and renderWithBody should accept the exception instance.

[l0gicgate]

Thank you for pointing that out, I will refactor the interface accordingly!

[l0gicgate]

@odan

• I am going to replace all instances of PHP_EOL to \n. Thanks for pointing that out.
• The App class does not contain setErrorHandler() and setDefaultErrorHandler() anymore. The first commit on this PR removes all that.
• Definitely open for proper naming suggestion for the middleware's name. It does handle both Exception and Throwble by default.

Thank you for reviewing this PR!

[edudobay]

Hi! As I started to point out at #2393, I believe that there should be a separate writeToErrorLog (or similar) setting, that doesn’t need to subordinate to displayErrorDetails. A couple reasons for that:

• Newcomers might be confused when they turn of display of error details and things stop going to the error log.
• Anyways we might need to keep a log of errors even though they were displayed to the client (maybe the client was an API so we couldn’t really see the output).
• Writing to a log and rendering the error to the client seem like separate concerns to me. These could even be dealt with by separate classes; but anyway it seems to me that it would be more logical to have separate settings for separate (independent) behaviors.

If you agree with these concerns, you can refer to #2393 for some remarks I’ve already made and I’ll be happy to help with the implementation. (I already have a draft but it is written for Slim 3.)

[edudobay]

Maybe the details should always be displayed in the error log? To me it doesn’t make sense to log a generic "Application error" without details.

(Maybe we are starting to cross boundaries and violating SRP as @odan pointed out?)

[l0gicgate]

You do have a point. I can modify this so it’s always displaying the error details when writing to log if everyone is in favor of this option!

@odan @designermonkey @akrabat @asheliahut @geggleto

[odan]

On a production server I have to log all errors (into a file), but for security reasons I am not allowed to show the users any error details. Therefore, it is still necessary to be able to configure both options (displayErrorDetails and logging) independently of each other.

[akrabat]

For more advanced requirements, I expect that the user should be able to easily replace Slim's error handling with their own.

I don't want this component to turn into a massive thing as we're Slim! However, we should be reasonably flexible.

[l0gicgate]

So how about I decouple $displayErrorDetails from the logging and add another parameter $logErrorDetails which can be enabled or disabled. So for instance you may not want to display the error details to the end user but you may want to have them displayed in your log.

[odan]

@l0gicgate Sounds good

[l0gicgate]

@odan I've implemented $logErrorDetails in this commit

[akrabat]

/*
 * The routing middleware should always be added first
 * before the error handling middleware is added
 */

Why? I want the error handling middleware to be the outermost middleware as there will be other middleware before routing that I want the error handler to pick up.

[l0gicgate]

@akrabat what I meant by that is ErrorMiddleware should be the last one to be added. In the example RoutingMiddleware should be added first, but I don't mean that it should be added first in your whole application.

[akrabat]

Why are we ignoring code coverage for methods in App?

[l0gicgate]

Removed and added tests for those methods.

[akrabat]

I do not want $request or $response as properties on App. They were intentionally removed from Slim 3's DIC because they are immutable and people use them as if they aren't.

This also means that I don't want set/getRequest() and set/getResponse().

Also, run() and process() are separate for a reason: it allows someone to inject their own request and response when running Silm.

[l0gicgate]

Removed and modified run() signature to take in an optional $request parameter for test purposes.

[akrabat]

A number of bits and bobs in here to look at @l0gicgate.

If you'd like me to raise a PR against this one addressing them, let me know.

[akrabat]

Add a gap between each property. It just looks nicer. This applies to all files.

[l0gicgate]

Done.

[akrabat]

Do not store response. Each renderer should return a response that they have created.

[l0gicgate]

Done.

[akrabat]

Call $exception->setRequest($request); and then throw directly here.

[l0gicgate]

Done.

[akrabat]

Call $exception->setRequest($request); and then throw directly here.

I know it's a duplication from above, but will be clearer to read and remove the test for not null below.

[l0gicgate]

Done.

[akrabat]

Test for an instance of HttpException. That way we can be sure that the Request object in getRequest() is a PSR7 Request object.

[l0gicgate]

Done.

[akrabat]

Rename to HttpMethodNotAllowedException.

[l0gicgate]

Done.

[akrabat]

As the exception should return a response, this can go into the exception itself.

[akrabat]

Would rather have an interface and rename AbstractErrorHandler to ErrorHandler

[l0gicgate]

Done.

[akrabat]

Response not required.

[l0gicgate]

Actually, what if during the middleware progression a user did attach headers to the response, example if a CORS middleware appended headers, wouldn't we want to have the response object that reflects the correct state at the time the time the exception was thrown?

[akrabat]

Where does it come from given that the error handler is called from the catch() of the Middleware and that we won't have $response passed into the middleware in PSR-15?

[akrabat]

I think we just need render which returns a response.