Option to return detailed error messages #1212

New Issue

xeruf · 2022-07-17T21:42:11Z

xeruf commented

2022-07-17 21:42:11 +00:00

As me and my colleagues are encountering a few 500's for some actions, it would be good to not always have to look into the log but have an option that the api returns a short error message (just the error message it is printing to the log anyways) - and of course make the frontend display it.

konrad added the

kind/feature

label 2022-07-18 10:24:32 +00:00

konrad commented

2022-07-18 10:26:39 +00:00

I'm not sure about this. I don't think we should report internal errors to the outside because it could give away internals to potential attackers but security through obscurity is always a bad idea.

Why would you want to do that, to make reporting easier?

I'm not sure about this. I don't think we should report internal errors to the outside because it could give away internals to potential attackers but security through obscurity is always a bad idea. Why would you want to do that, to make reporting easier?

xeruf commented

2022-07-18 12:01:09 +00:00

Yes, so users can say more than "I got an internal server error", because currently I have to either reproduce it or ask for a timestamp and plow through the logs.
With a proper error message I could diagnose the issue directly.
Our instance for example only has trusted users anyways through its SSO, so I don't see an issue there.

Yes, so users can say more than "I got an internal server error", because currently I have to either reproduce it or ask for a timestamp and plow through the logs. With a proper error message I could diagnose the issue directly. Our instance for example only has trusted users anyways through its SSO, so I don't see an issue there.

👍 1

konrad commented

2022-07-18 20:42:13 +00:00

Malicous users might as well trigger a 500 without being authenticated but that could mitigated by not exposing an internal instance to the public.

Still, I'm a bit hesitant to expose this to the outside. If the primary goal is to make reporting easier, what do you think of a button users can press if an error 500 occures which would send the logged error message to somewhere else? (Either directly to us or store it somewhere were the admin could grab it to post in an issue or something).

Or maybe just change the sentry integration a bit so that it reports all 500s automatically.

Malicous users might as well trigger a 500 without being authenticated but that could mitigated by not exposing an internal instance to the public. Still, I'm a bit hesitant to expose this to the outside. If the primary goal is to make reporting easier, what do you think of a button users can press if an error 500 occures which would send the logged error message to somewhere else? (Either directly to us or store it somewhere were the admin could grab it to post in an issue or something). Or maybe just change the sentry integration a bit so that it reports all 500s automatically.

xeruf commented

2022-07-18 21:03:53 +00:00

Can't this work in a way that it only returns details for authenticated users?

Yeah I guess using proper logging capturing is more appropriate (still struggling with loki... https://open.greenhost.net/stackspin/stackspin/-/issues/1340), but I also like empowering users - the error message might help them to find a temporary workaround.

Can't this work in a way that it only returns details for authenticated users? Yeah I guess using proper logging capturing is more appropriate (still struggling with loki... https://open.greenhost.net/stackspin/stackspin/-/issues/1340), but I also like empowering users - the error message might help them to find a temporary workaround.

konrad commented

2022-07-19 15:18:49 +00:00