Safer API error reporting

We don't know what unknown errors would report. They could expose sensitive data. So let's not pass that data on to the public while we have the full details in Bugsnag. Also, let's not catch Exception because that could catch interrupts to gracefully shut down the application.
2026-03-01 02:03:22 +00:00 · 2022-02-15 16:09:01 +11:00
parent 4aa70c1ffd
commit 12d989568e
2 changed files with 10 additions and 8 deletions
--- a/app/controllers/api/v1/base_controller.rb
+++ b/app/controllers/api/v1/base_controller.rb
@@ -14,7 +14,7 @@ module Api

      before_action :authenticate_user

-      rescue_from Exception, with: :error_during_processing
+      rescue_from StandardError, with: :error_during_processing
      rescue_from CanCan::AccessDenied, with: :unauthorized
      rescue_from ActiveRecord::RecordNotFound, with: :not_found
      rescue_from Pagy::VariableError, with: :invalid_pagination
@@ -46,8 +46,13 @@ module Api
      def error_during_processing(exception)
        Bugsnag.notify(exception)

-        render status: :unprocessable_entity,
-               json: json_api_error(exception.message, backtrace: exception.backtrace)
+        if Rails.env.development? || Rails.env.test?
+          render status: :unprocessable_entity,
+                 json: json_api_error(exception.message, meta: exception.backtrace)
+        else
+          render status: :unprocessable_entity,
+                 json: json_api_error(I18n.t(:unknown_error, scope: "api"))
+        end
      end

      def invalid_pagination(exception)
@@ -79,11 +84,7 @@ module Api
      end

      def json_api_error(message, **options)
-        error_response = { errors: [{ detail: message }] }
-        if options[:backtrace] && (Rails.env.development? || Rails.env.test?)
-          error_response.merge!(meta: [options[:backtrace]])
-        end
-        error_response
+        { errors: [{ detail: message }] }.merge(options)
      end

      def json_api_invalid(message, errors)
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -1409,6 +1409,7 @@ en:
 # API
 #
  api:
+    unknown_error: "Something went wrong. Our team has been notified."
    invalid_api_key: "Invalid API key (%{key}) specified."
    unauthorized: "You are not authorized to perform that action."
    invalid_resource: "Invalid resource. Please fix errors and try again."