fix(handler): Stringify errors by exposing only the message

enisdenjo · enisdenjo · commit cabf8a98b7e2 · 2023-04-14T01:55:13.000+02:00
diff --git a/src/__tests__/handler.ts b/src/__tests__/handler.ts
@@ -175,3 +175,16 @@ it('should replace the validation rules when providing a function', async () =>
     }
   `);
 });
+
+it('should print plain errors in detail', async () => {
+  const server = startTServer({});
+  const url = new URL(server.url);
+  const result = await fetch(url.toString(), {
+    method: 'POST',
+    headers: { 'content-type': 'application/json' },
+    // missing body
+  });
+  await expect(result.text()).resolves.toMatchInlineSnapshot(
+    `"{"errors":[{"message":"Unparsable JSON body"}]}"`,
+  );
+});
diff --git a/src/handler.ts b/src/handler.ts
@@ -25,6 +25,7 @@ import {
   isExecutionResult,
   isGraphQLError,
   isObject,
+  jsonErrorReplacer,
 } from './utils';
 
 /**
@@ -726,7 +727,7 @@ export function makeResponse(
     !isGraphQLError(resultOrErrors)
   ) {
     return [
-      JSON.stringify({ errors: [resultOrErrors] }),
+      JSON.stringify({ errors: [resultOrErrors] }, jsonErrorReplacer),
       {
         status: 400,
         statusText: 'Bad Request',
@@ -743,7 +744,7 @@ export function makeResponse(
     : null;
   if (errors) {
     return [
-      JSON.stringify({ errors }),
+      JSON.stringify({ errors }, jsonErrorReplacer),
       {
         ...(acceptedMediaType === 'application/json'
           ? {
@@ -765,7 +766,7 @@ export function makeResponse(
   }
 
   return [
-    JSON.stringify(resultOrErrors),
+    JSON.stringify(resultOrErrors, jsonErrorReplacer),
     {
       status: 200,
       statusText: 'OK',
diff --git a/src/utils.ts b/src/utils.ts
@@ -68,3 +68,19 @@ export function isAsyncIterable<T = unknown>(
 ): val is AsyncIterable<T> {
   return typeof Object(val)[Symbol.asyncIterator] === 'function';
 }
+
+/** @private */
+export function jsonErrorReplacer(_key: string, val: any) {
+  if (
+    val instanceof Error &&
+    // GraphQL errors implement their own stringer
+    !isGraphQLError(val)
+  ) {
+    return {
+      // name: val.name, name is included in message
+      message: val.message,
+      // stack: val.stack, can leak sensitive details
+    };
+  }
+  return val;
+}
