Skip to content

fix(controllers): stop echoing raw error details to clients in 5xx bodies #140

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
CryptoJones merged 1 commit into from
May 19, 2026
Merged

fix(controllers): stop echoing raw error details to clients in 5xx bodies #140

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions app/controllers/_bulk-helpers.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ function makeBulkCreate({
isAuthKeyMasterKey = await auth.isMaster(authKey);
} catch (error) {
log.error({ err: error }, `${modelKey}: isMaster failed`);
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}

const input = (req.body && Array.isArray(req.body[bodyKey]))
Expand All @@ -70,7 +70,7 @@ function makeBulkCreate({
authKeyCompanyId = await auth.getCompanyId(authKey);
} catch (error) {
log.error({ err: error }, `${modelKey}: getCompanyId failed`);
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
if (authKeyCompanyId === -1) {
return res.status(403).json({ message: "Invalid Authorization Key." });
Expand Down Expand Up @@ -122,7 +122,7 @@ function makeBulkCreate({
} catch (error) {
try { await t.rollback(); } catch (_) { /* swallow */ }
log.error({ err: error }, `${modelKey}.bulkCreate failed`);
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
};
}
Expand Down Expand Up @@ -185,7 +185,7 @@ function makeBulkCreateIndirect({
isAuthKeyMasterKey = await auth.isMaster(authKey);
} catch (error) {
log.error({ err: error }, `${modelKey}: isMaster failed`);
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}

const input = (req.body && Array.isArray(req.body[bodyKey]))
Expand All @@ -201,7 +201,7 @@ function makeBulkCreateIndirect({
authKeyCompanyId = await auth.getCompanyId(authKey);
} catch (error) {
log.error({ err: error }, `${modelKey}: getCompanyId failed`);
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
if (authKeyCompanyId === -1) {
return res.status(403).json({ message: "Invalid Authorization Key." });
Expand All @@ -228,7 +228,7 @@ function makeBulkCreateIndirect({
parentCompId = await resolveParentCompanyId(parentId);
} catch (error) {
log.error({ err: error }, `${modelKey}: parent scope resolve failed`);
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
if (parentCompId === -1) {
return res.status(400).json({
Expand Down Expand Up @@ -263,7 +263,7 @@ function makeBulkCreateIndirect({
} catch (error) {
try { await t.rollback(); } catch (_) { /* swallow */ }
log.error({ err: error }, `${modelKey}.bulkCreate failed`);
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
};
}
Expand Down
18 changes: 9 additions & 9 deletions app/controllers/billingtypecontroller.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ exports.create = async (req, res) => {
isAuthKeyMasterKey = await IsMaster(authKey);
} catch (error) {
log.error({ err: error }, 'IsMaster failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}

const body = req.body || {};
Expand All @@ -41,7 +41,7 @@ exports.create = async (req, res) => {
authKeyCompanyId = await GetCompanyId(authKey);
} catch (error) {
log.error({ err: error }, 'GetCompanyId failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
if (authKeyCompanyId === -1) {
return res.status(403).json({ message: "Invalid Authorization Key." });
Expand All @@ -67,7 +67,7 @@ exports.create = async (req, res) => {
return res.status(201).json({ message: "Billing type created.", billingType: created });
} catch (error) {
log.error({ err: error }, 'BillingType.create failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
};

Expand All @@ -82,7 +82,7 @@ exports.getById = async (req, res) => {
billingType = await BillingType.findByPk(req.params.id);
} catch (error) {
log.error({ err: error }, 'BillingType.findByPk failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
if (!billingType || billingType.btArch) {
return res.status(404).json({ message: "Not found." });
Expand Down Expand Up @@ -144,7 +144,7 @@ exports.listByCompany = async (req, res) => {
});
} catch (error) {
log.error({ err: error }, 'BillingType.findAndCountAll failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
};

Expand All @@ -159,7 +159,7 @@ exports.update = async (req, res) => {
billingType = await BillingType.findByPk(req.params.id);
} catch (error) {
log.error({ err: error }, 'BillingType.findByPk failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
if (!billingType || billingType.btArch) {
return res.status(404).json({ message: "Not found." });
Expand Down Expand Up @@ -187,7 +187,7 @@ exports.update = async (req, res) => {
return res.status(200).json({ message: "Updated.", billingType });
} catch (error) {
log.error({ err: error }, 'BillingType.update failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
};

Expand All @@ -202,7 +202,7 @@ exports.remove = async (req, res) => {
billingType = await BillingType.findByPk(req.params.id);
} catch (error) {
log.error({ err: error }, 'BillingType.findByPk failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
if (!billingType || billingType.btArch) {
return res.status(404).json({ message: "Not found." });
Expand All @@ -221,7 +221,7 @@ exports.remove = async (req, res) => {
return res.status(200).json({ message: "Archived.", id: billingType.btId });
} catch (error) {
log.error({ err: error }, 'BillingType archive failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
};

Expand Down
14 changes: 7 additions & 7 deletions app/controllers/companycontroller.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ exports.create = async (req, res) => {
return res.status(201).json({ message: "Company created.", company: created });
} catch (error) {
log.error({ err: error }, 'Company.create failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
};

Expand All @@ -66,7 +66,7 @@ exports.getById = async (req, res) => {
company = await Company.findByPk(req.params.id);
} catch (error) {
log.error({ err: error }, 'Company.findByPk failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
if (!company || company.compArch) {
return res.status(404).json({ message: "Not found." });
Expand Down Expand Up @@ -118,7 +118,7 @@ exports.list = async (req, res) => {
});
} catch (error) {
log.error({ err: error }, 'Company.findAndCountAll failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
};

Expand All @@ -133,7 +133,7 @@ exports.update = async (req, res) => {
company = await Company.findByPk(req.params.id);
} catch (error) {
log.error({ err: error }, 'Company.findByPk failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
if (!company || company.compArch) {
return res.status(404).json({ message: "Not found." });
Expand Down Expand Up @@ -161,7 +161,7 @@ exports.update = async (req, res) => {
return res.status(200).json({ message: "Updated.", company });
} catch (error) {
log.error({ err: error }, 'Company.update failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
};

Expand All @@ -180,7 +180,7 @@ exports.remove = async (req, res) => {
company = await Company.findByPk(req.params.id);
} catch (error) {
log.error({ err: error }, 'Company.findByPk failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
if (!company || company.compArch) {
return res.status(404).json({ message: "Not found." });
Expand All @@ -191,7 +191,7 @@ exports.remove = async (req, res) => {
return res.status(200).json({ message: "Archived.", id: company.compId });
} catch (error) {
log.error({ err: error }, 'Company archive failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
};

Expand Down
32 changes: 16 additions & 16 deletions app/controllers/customercontroller.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ exports.getCustomerById = async (req, res) => {
isAuthKeyMasterKey = await IsMaster(authKey);
} catch (error) {
log.error({ err: error }, 'IsMaster failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}

if (isAuthKeyMasterKey) {
Expand All @@ -60,7 +60,7 @@ exports.getCustomerById = async (req, res) => {
authKeyCompanyId = await GetCompanyId(authKey);
} catch (error) {
log.error({ err: error }, 'Company lookup failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}

if (!CompaniesMatch(custCompanyId, authKeyCompanyId)) {
Expand Down Expand Up @@ -110,7 +110,7 @@ exports.createCustomer = async (req, res) => {
isAuthKeyMasterKey = await IsMaster(authKey);
} catch (error) {
log.error({ err: error }, 'IsMaster failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}

// Whitelist of model fields we accept. Anything else in the body
Expand Down Expand Up @@ -138,7 +138,7 @@ exports.createCustomer = async (req, res) => {
authKeyCompanyId = await GetCompanyId(authKey);
} catch (error) {
log.error({ err: error }, 'GetCompanyId failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
if (authKeyCompanyId === -1) {
return res.status(403).json({ message: "Invalid Authorization Key." });
Expand Down Expand Up @@ -171,7 +171,7 @@ exports.createCustomer = async (req, res) => {
});
} catch (error) {
log.error({ err: error }, 'Customer.create failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
};

Expand All @@ -197,7 +197,7 @@ exports.getAllByCompanyId = async (req, res) => {
isAuthKeyMasterKey = await IsMaster(authKey);
} catch (error) {
log.error({ err: error }, 'IsMaster failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}

if (!isAuthKeyMasterKey) {
Expand All @@ -206,7 +206,7 @@ exports.getAllByCompanyId = async (req, res) => {
authKeyCompanyId = await GetCompanyId(authKey);
} catch (error) {
log.error({ err: error }, 'GetCompanyId failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
// req.params.id arrives as a string; authKeyCompanyId comes back
// as an INT from Sequelize. Normalize both before comparing.
Expand Down Expand Up @@ -252,7 +252,7 @@ exports.getAllByCompanyId = async (req, res) => {
});
} catch (error) {
log.error({ err: error }, 'Customer.findAndCountAll failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
};

Expand Down Expand Up @@ -283,7 +283,7 @@ exports.exportCsv = async (req, res) => {
isAuthKeyMasterKey = await IsMaster(authKey);
} catch (error) {
log.error({ err: error }, 'IsMaster failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}

let effectiveCompanyId;
Expand All @@ -301,7 +301,7 @@ exports.exportCsv = async (req, res) => {
authKeyCompanyId = await GetCompanyId(authKey);
} catch (error) {
log.error({ err: error }, 'GetCompanyId failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
if (authKeyCompanyId === -1) {
return res.status(403).json({ message: "Invalid Authorization Key." });
Expand Down Expand Up @@ -335,7 +335,7 @@ exports.exportCsv = async (req, res) => {
});
} catch (error) {
log.error({ err: error }, 'Customer.findAll for CSV export failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}

const truncated = rows.length > limit;
Expand Down Expand Up @@ -426,7 +426,7 @@ exports.search = async (req, res) => {
isAuthKeyMasterKey = await IsMaster(authKey);
} catch (error) {
log.error({ err: error }, 'IsMaster failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}

// Resolve effective companyId from auth + query
Expand All @@ -445,7 +445,7 @@ exports.search = async (req, res) => {
authKeyCompanyId = await GetCompanyId(authKey);
} catch (error) {
log.error({ err: error }, 'GetCompanyId failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
if (authKeyCompanyId === -1) {
return res.status(403).json({ message: "Invalid Authorization Key." });
Expand All @@ -471,7 +471,7 @@ exports.search = async (req, res) => {

const Op = db.Sequelize && db.Sequelize.Op;
if (!Op) {
return res.status(500).json({ message: "Error!", error: "Sequelize Op not available" });
return res.status(500).json({ message: "Error!" });
}

// ILIKE on Postgres; the `%` wildcards come from us, not the user.
Expand Down Expand Up @@ -505,7 +505,7 @@ exports.search = async (req, res) => {
});
} catch (error) {
log.error({ err: error }, 'Customer.search findAndCountAll failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
};

Expand All @@ -520,7 +520,7 @@ async function findAndRespond(customerId, res) {
});
} catch (error) {
log.error({ err: error }, 'Customer.findByPk failed');
return res.status(500).json({ message: "Error!", error: String(error) });
return res.status(500).json({ message: "Error!" });
}
}

Expand Down
Loading