fix: prevent sending raw errors in responses #24282
Conversation
|
@dhairyashiil is attempting to deploy a commit to the cal Team on Vercel. A member of the Team first needs to authorize it. |
WalkthroughThe change centralizes server-side error handling across multiple API handlers and one booking utility by importing and using getServerErrorFromUnknown to derive httpError.statusCode and httpError.message inside catch blocks. It replaces prior instanceof/Error or ad-hoc 500 branches with a unified error-mapping path across many app-store APIs (alby, giphy, googlevideo, hitpay, jitsivideo, paypal, sylapsvideo, wipemycalother, zapier), the integrations API route, and features/bookings loadUsers. Minor local tweaks: teamId/userId normalization in some admin-access calls and a small truthiness simplification in loadDynamicUsers. No exported/public signatures changed. Possibly related PRs
Pre-merge checks and finishing touches❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✨ Finishing touches
🧪 Generate unit tests (beta)
📜 Recent review detailsConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Disabled knowledge base sources:
📒 Files selected for processing (1)
🧰 Additional context used📓 Path-based instructions (3)**/*.ts📄 CodeRabbit inference engine (.cursor/rules/review.mdc)
Files:
**/*.{ts,tsx}📄 CodeRabbit inference engine (.cursor/rules/review.mdc)
Files:
**/*.{ts,tsx,js,jsx}⚙️ CodeRabbit configuration file
Files:
🧬 Code graph analysis (1)packages/app-store/hitpay/api/add.ts (1)
⏰ Context from checks skipped due to timeout of 180000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
🔇 Additional comments (2)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Disabled knowledge base sources:
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (14)
apps/web/pages/api/integrations/[...args].ts(2 hunks)packages/app-store/alby/api/add.ts(2 hunks)packages/app-store/giphy/api/add.ts(2 hunks)packages/app-store/giphy/api/get.ts(2 hunks)packages/app-store/giphy/api/search.ts(2 hunks)packages/app-store/googlevideo/api/_getAdd.ts(2 hunks)packages/app-store/hitpay/api/add.ts(2 hunks)packages/app-store/jitsivideo/api/add.ts(3 hunks)packages/app-store/paypal/api/add.ts(3 hunks)packages/app-store/sylapsvideo/api/add.ts(2 hunks)packages/app-store/wipemycalother/api/add.ts(2 hunks)packages/app-store/wipemycalother/api/wipe.ts(2 hunks)packages/app-store/zapier/api/add.ts(2 hunks)packages/features/bookings/lib/handleNewBooking/loadUsers.ts(3 hunks)
🧰 Additional context used
📓 Path-based instructions (3)
**/*.ts
📄 CodeRabbit inference engine (.cursor/rules/review.mdc)
**/*.ts: For Prisma queries, only select data you need; never useinclude, always useselect
Ensure thecredential.keyfield is never returned from tRPC endpoints or APIs
Files:
packages/app-store/giphy/api/get.tspackages/app-store/hitpay/api/add.tspackages/app-store/googlevideo/api/_getAdd.tspackages/app-store/jitsivideo/api/add.tspackages/app-store/alby/api/add.tsapps/web/pages/api/integrations/[...args].tspackages/app-store/giphy/api/add.tspackages/app-store/zapier/api/add.tspackages/app-store/giphy/api/search.tspackages/app-store/sylapsvideo/api/add.tspackages/app-store/wipemycalother/api/add.tspackages/features/bookings/lib/handleNewBooking/loadUsers.tspackages/app-store/wipemycalother/api/wipe.tspackages/app-store/paypal/api/add.ts
**/*.{ts,tsx}
📄 CodeRabbit inference engine (.cursor/rules/review.mdc)
Flag excessive Day.js use in performance-critical code; prefer native Date or Day.js
.utc()in hot paths like loops
Files:
packages/app-store/giphy/api/get.tspackages/app-store/hitpay/api/add.tspackages/app-store/googlevideo/api/_getAdd.tspackages/app-store/jitsivideo/api/add.tspackages/app-store/alby/api/add.tsapps/web/pages/api/integrations/[...args].tspackages/app-store/giphy/api/add.tspackages/app-store/zapier/api/add.tspackages/app-store/giphy/api/search.tspackages/app-store/sylapsvideo/api/add.tspackages/app-store/wipemycalother/api/add.tspackages/features/bookings/lib/handleNewBooking/loadUsers.tspackages/app-store/wipemycalother/api/wipe.tspackages/app-store/paypal/api/add.ts
**/*.{ts,tsx,js,jsx}
⚙️ CodeRabbit configuration file
Flag default exports and encourage named exports. Named exports provide better tree-shaking, easier refactoring, and clearer imports. Exempt main components like pages, layouts, and components that serve as the primary export of a module.
Files:
packages/app-store/giphy/api/get.tspackages/app-store/hitpay/api/add.tspackages/app-store/googlevideo/api/_getAdd.tspackages/app-store/jitsivideo/api/add.tspackages/app-store/alby/api/add.tsapps/web/pages/api/integrations/[...args].tspackages/app-store/giphy/api/add.tspackages/app-store/zapier/api/add.tspackages/app-store/giphy/api/search.tspackages/app-store/sylapsvideo/api/add.tspackages/app-store/wipemycalother/api/add.tspackages/features/bookings/lib/handleNewBooking/loadUsers.tspackages/app-store/wipemycalother/api/wipe.tspackages/app-store/paypal/api/add.ts
🧬 Code graph analysis (14)
packages/app-store/giphy/api/get.ts (1)
packages/lib/server/getServerErrorFromUnknown.ts (1)
getServerErrorFromUnknown(39-98)
packages/app-store/hitpay/api/add.ts (1)
packages/lib/server/getServerErrorFromUnknown.ts (1)
getServerErrorFromUnknown(39-98)
packages/app-store/googlevideo/api/_getAdd.ts (1)
packages/lib/server/getServerErrorFromUnknown.ts (1)
getServerErrorFromUnknown(39-98)
packages/app-store/jitsivideo/api/add.ts (2)
packages/app-store/_utils/throwIfNotHaveAdminAccessToTeam.ts (1)
throwIfNotHaveAdminAccessToTeam(5-23)packages/lib/server/getServerErrorFromUnknown.ts (1)
getServerErrorFromUnknown(39-98)
packages/app-store/alby/api/add.ts (1)
packages/lib/server/getServerErrorFromUnknown.ts (1)
getServerErrorFromUnknown(39-98)
apps/web/pages/api/integrations/[...args].ts (1)
packages/lib/server/getServerErrorFromUnknown.ts (1)
getServerErrorFromUnknown(39-98)
packages/app-store/giphy/api/add.ts (1)
packages/lib/server/getServerErrorFromUnknown.ts (1)
getServerErrorFromUnknown(39-98)
packages/app-store/zapier/api/add.ts (1)
packages/lib/server/getServerErrorFromUnknown.ts (1)
getServerErrorFromUnknown(39-98)
packages/app-store/giphy/api/search.ts (1)
packages/lib/server/getServerErrorFromUnknown.ts (1)
getServerErrorFromUnknown(39-98)
packages/app-store/sylapsvideo/api/add.ts (1)
packages/lib/server/getServerErrorFromUnknown.ts (1)
getServerErrorFromUnknown(39-98)
packages/app-store/wipemycalother/api/add.ts (1)
packages/lib/server/getServerErrorFromUnknown.ts (1)
getServerErrorFromUnknown(39-98)
packages/features/bookings/lib/handleNewBooking/loadUsers.ts (1)
packages/lib/server/getServerErrorFromUnknown.ts (1)
getServerErrorFromUnknown(39-98)
packages/app-store/wipemycalother/api/wipe.ts (1)
packages/lib/server/getServerErrorFromUnknown.ts (1)
getServerErrorFromUnknown(39-98)
packages/app-store/paypal/api/add.ts (2)
packages/app-store/_utils/throwIfNotHaveAdminAccessToTeam.ts (1)
throwIfNotHaveAdminAccessToTeam(5-23)packages/lib/server/getServerErrorFromUnknown.ts (1)
getServerErrorFromUnknown(39-98)
⏰ Context from checks skipped due to timeout of 180000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Install dependencies / Yarn install & cache
- GitHub Check: Codacy Static Code Analysis
🔇 Additional comments (25)
apps/web/pages/api/integrations/[...args].ts (2)
8-8: LGTM!The import for
getServerErrorFromUnknownis correctly added to support centralized error handling.
79-80: LGTM!The error handling is correctly standardized to use
getServerErrorFromUnknown, which prevents leaking raw error details to clients while providing appropriate HTTP status codes and safe error messages.packages/app-store/sylapsvideo/api/add.ts (2)
3-3: LGTM!The import for
getServerErrorFromUnknownis correctly added.
42-43: LGTM!The error handling is correctly standardized using
getServerErrorFromUnknown.packages/app-store/wipemycalother/api/wipe.ts (2)
5-5: LGTM!The import for
getServerErrorFromUnknownis correctly added.
59-60: LGTM!The error handling is correctly standardized using
getServerErrorFromUnknown.packages/app-store/zapier/api/add.ts (2)
3-3: LGTM!The import for
getServerErrorFromUnknownis correctly added.
33-34: LGTM!The error handling is correctly standardized using
getServerErrorFromUnknown.packages/app-store/wipemycalother/api/add.ts (2)
3-3: LGTM!The import for
getServerErrorFromUnknownis correctly added.
40-41: LGTM!The error handling is correctly standardized using
getServerErrorFromUnknown.packages/app-store/giphy/api/add.ts (2)
3-3: LGTM!The import for
getServerErrorFromUnknownis correctly added.
48-49: LGTM!The error handling is correctly standardized using
getServerErrorFromUnknown.packages/app-store/giphy/api/search.ts (2)
4-4: LGTM!The import for
getServerErrorFromUnknownis correctly added.
43-44: LGTM!The error handling is correctly standardized using
getServerErrorFromUnknown.packages/app-store/hitpay/api/add.ts (2)
3-3: LGTM!The import for
getServerErrorFromUnknownis correctly added.
36-37: LGTM!The error handling is correctly standardized using
getServerErrorFromUnknown.packages/app-store/googlevideo/api/_getAdd.ts (1)
3-3: LGTM! Improved error handling security.The import and usage of
getServerErrorFromUnknowncentralizes error handling and prevents raw error messages from being exposed in HTTP responses. The error mapper handles various error types (TRPCError, ZodError, PrismaError, HttpError) appropriately and redacts sensitive information.Also applies to: 36-37
packages/app-store/alby/api/add.ts (1)
3-3: LGTM! Consistent error handling improvement.The centralized error handling using
getServerErrorFromUnknownaligns with the PR objective to prevent raw error messages in responses and follows the same secure pattern applied across other API handlers.Also applies to: 36-37
packages/app-store/giphy/api/get.ts (1)
4-5: LGTM! Centralized error handling implemented.The use of
getServerErrorFromUnknownimproves error response security by preventing raw error messages from being exposed and ensuring consistent status code mapping.Also applies to: 40-41
packages/app-store/jitsivideo/api/add.ts (2)
4-4: LGTM! Centralized error handling implemented.The use of
getServerErrorFromUnknownensures consistent and secure error responses by preventing raw error messages from being exposed.Also applies to: 49-50
20-23: LGTM! Clear parameter formatting.The explicit parameter formatting with
teamId: teamId ? Number(teamId) : nullanduserId: req.session.user.idimproves readability while maintaining correct behavior per the function signature.packages/app-store/paypal/api/add.ts (2)
4-4: LGTM! Consistent error handling improvement.The centralized error handling using
getServerErrorFromUnknownaligns with the PR objective and provides secure, consistent error responses across API handlers.Also applies to: 47-48
16-19: LGTM! Clear parameter formatting.The explicit parameter formatting improves readability and maintains correct behavior per the
throwIfNotHaveAdminAccessToTeamfunction signature.packages/features/bookings/lib/handleNewBooking/loadUsers.ts (2)
9-9: LGTM! Centralized error handling in utility function.The use of
getServerErrorFromUnknownto transform and throw the error is appropriate for this utility function, allowing proper error propagation to callers with consistent error structure and redacted sensitive information.Also applies to: 72-73
101-101: LGTM! Cleaner truthiness check.Simplifying from
!!currentOrgDomain ? currentOrgDomain : nulltocurrentOrgDomain ? currentOrgDomain : nullis correct and more concise, as both expressions are equivalent for thestring | nulltype.
What does this PR do?
This PR addresses issues like #20915, I was not able to reproduce that error again as mentioned by Rajiv, it might have occurred due to a failed migration. So, I don’t think this is still an issue.
As per the discussion with Pallav and Rajiv, a try-catch block was necessary. After reviewing the codebase, I noticed that most places already have a catch block, but in many of them, error.message is being sent directly in the response. I also found a utility function getServerErrorFromUnknown, which seems to be designed for handling such cases. I’m not sure which file the issue mentioned above originated from, but I’ve tried to update as many files as possible where error.message was being sent directly in the response.
Discussion link: https://calendso.slack.com/archives/C08B8SYUY02/p1759573378526789?thread_ts=1759562047.239579&cid=C08B8SYUY02