Remove detailed error from error messages #8958
Labels
bounty:$20
Bounty applies for fixing this issue (Parse Bounty Program)
type:feature
New feature or improvement of existing feature
Comments
Thanks for opening this issue!
|
mtrezza
added
type:feature
1 task
|
@mtrezza is the issue still open ? |
|
Yes |
|
can you assign this issue to me ? @mtrezza |
|
Please feel free to pick this up and post a comment for others to be aware that it's in the works. |
|
I'm picking up this issue and will be working on it. |
|
@mtrezza basically i have to do this in /src/Adapters/Auth or there any other folder also ? |
|
This relates to any response message across Parse Server where more information than necessary is returned. I suggest to do this with just 1 or a few messages, then open a PR for feedback, so you don't make a lot of changes and then have to modify them again. |
4 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
New Feature / Enhancement Checklist
Current Limitation
For some requests, Parse Server returns more information than necessary in the error response. For example:
This is providing an outside attacker with more info than necessary.
Feature / Enhancement Description
Especially when it comes to access / permission errors, I suggest to make the error messages more ambiguous by generalizing them and removing any specific information. Instead of explaining why a request was unauthorized, the error should be only
unauthorizedwithout any further details. The detailed error message should only be logged server side.The task would be:
This should not be a breaking change, as long as the error code does not change. Changes of error messages are not considered breaking as logic that relies on parsing error messages is considered bad practice anyway.
The text was updated successfully, but these errors were encountered: