AuthorizationMiddleware catch-all leaks internal exception messages in HTTP response

[marcguyer]

Summary

AuthorizationMiddleware::process() has a catch-all for \Exception (line 77–80 of src/AuthorizationMiddleware.php) that passes the raw $exception->getMessage() into an OAuthServerException, which then renders it in the HTTP response body as error_description. This can expose internal infrastructure details (e.g. database hostnames, IP addresses, ports, file paths) to end users.

Relevant code

} catch (BaseException $exception) {
    $response = $this->responseFactory->createResponse();
    return (new OAuthServerException($exception->getMessage(), 0, 'unknown_error', 500))
        ->generateHttpResponse($response);
}

For example, if the underlying database is unreachable, the exception message may contain something like:

SQLSTATE[HY000] [2002] Connection refused (tcp://db-host.internal:3306)

This ends up in the JSON response:

{
  "error": "unknown_error",
  "error_description": "SQLSTATE[HY000] [2002] Connection refused (tcp://db-host.internal:3306)",
  "message": "SQLSTATE[HY000] [2002] Connection refused (tcp://db-host.internal:3306)"
}

Comparison with TokenEndpointHandler

TokenEndpointHandler::handle() only catches OAuthServerException and does not have a catch-all for general exceptions. This means it does not have the same information disclosure issue — uncaught exceptions there would bubble up to the application's error handler, which typically sanitizes output.

Suggested fix

Replace $exception->getMessage() with a generic message:

} catch (BaseException $exception) {
    $response = $this->responseFactory->createResponse();
    return (new OAuthServerException('An internal error occurred', 0, 'unknown_error', 500))
        ->generateHttpResponse($response);
}

Additionally, it would be useful to accept an optional Psr\Log\LoggerInterface so the original exception can be logged rather than silently discarded:

public function __construct(
    AuthorizationServer $server,
    $responseFactory,
    ?LoggerInterface $logger = null
) {
    // ...
    $this->logger = $logger;
}

} catch (BaseException $exception) {
    $this->logger?->error('Authorization request error', ['exception' => $exception]);
    $response = $this->responseFactory->createResponse();
    return (new OAuthServerException('An internal error occurred', 0, 'unknown_error', 500))
        ->generateHttpResponse($response);
}

Impact

This is an information disclosure issue that affects any deployment where AuthorizationMiddleware is used and an unexpected exception (e.g. database connection failure, misconfiguration) occurs during validateAuthorizationRequest().

Version

Observed in 2.12.0, confirmed still present on main.