Option to return detailed error messages #1212

Open
opened 3 months ago by xeruf · 5 comments
xeruf commented 3 months ago

As me and my colleagues are encountering a few 500's for some actions, it would be good to not always have to look into the log but have an option that the api returns a short error message (just the error message it is printing to the log anyways) - and of course make the frontend display it.

As me and my colleagues are encountering a few 500's for some actions, it would be good to not always have to look into the log but have an option that the api returns a short error message (just the error message it is printing to the log anyways) - and of course make the frontend display it.
konrad added the
kind/feature
label 3 months ago
Owner

I'm not sure about this. I don't think we should report internal errors to the outside because it could give away internals to potential attackers but security through obscurity is always a bad idea.

Why would you want to do that, to make reporting easier?

I'm not sure about this. I don't think we should report internal errors to the outside because it could give away internals to potential attackers but security through obscurity is always a bad idea. Why would you want to do that, to make reporting easier?
Poster

Yes, so users can say more than "I got an internal server error", because currently I have to either reproduce it or ask for a timestamp and plow through the logs.
With a proper error message I could diagnose the issue directly.
Our instance for example only has trusted users anyways through its SSO, so I don't see an issue there.

Yes, so users can say more than "I got an internal server error", because currently I have to either reproduce it or ask for a timestamp and plow through the logs. With a proper error message I could diagnose the issue directly. Our instance for example only has trusted users anyways through its SSO, so I don't see an issue there.
Owner

Malicous users might as well trigger a 500 without being authenticated but that could mitigated by not exposing an internal instance to the public.

Still, I'm a bit hesitant to expose this to the outside. If the primary goal is to make reporting easier, what do you think of a button users can press if an error 500 occures which would send the logged error message to somewhere else? (Either directly to us or store it somewhere were the admin could grab it to post in an issue or something).

Or maybe just change the sentry integration a bit so that it reports all 500s automatically.

Malicous users might as well trigger a 500 without being authenticated but that could mitigated by not exposing an internal instance to the public. Still, I'm a bit hesitant to expose this to the outside. If the primary goal is to make reporting easier, what do you think of a button users can press if an error 500 occures which would send the logged error message to somewhere else? (Either directly to us or store it somewhere were the admin could grab it to post in an issue or something). Or maybe just change the sentry integration a bit so that it reports all 500s automatically.
Poster

Can't this work in a way that it only returns details for authenticated users?

Yeah I guess using proper logging capturing is more appropriate (still struggling with loki... https://open.greenhost.net/stackspin/stackspin/-/issues/1340), but I also like empowering users - the error message might help them to find a temporary workaround.

Can't this work in a way that it only returns details for authenticated users? Yeah I guess using proper logging capturing is more appropriate (still struggling with loki... https://open.greenhost.net/stackspin/stackspin/-/issues/1340), but I also like empowering users - the error message might help them to find a temporary workaround.
Owner

Can't this work in a way that it only returns details for authenticated users?

I think we could do that.

> Can't this work in a way that it only returns details for authenticated users? I think we could do that.
Sign in to join this conversation.
No Milestone
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

No dependencies set.

Reference: vikunja/api#1212
Loading…
There is no content yet.