From 6db24f9fac7cf11f2d5088f62ff2e472f76c7623 Mon Sep 17 00:00:00 2001 From: TJ Holowaychuk Date: Thu, 12 Sep 2013 08:01:40 -0700 Subject: [PATCH] change ctx.error() to flag as err.expose meaning the application could respond with this message if it likes --- docs/api.md | 6 ++++++ lib/context.js | 4 +++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/api.md b/docs/api.md index e6e148b..dd8a0b5 100644 --- a/docs/api.md +++ b/docs/api.md @@ -534,6 +534,12 @@ err.status = 400; throw err; ``` + Note that these are user-level errors and are flagged with + `err.expose` meaning the messages are appropriate for + client responses, which is typically not the case for + error messages since you do not want to leak failure + details. + ## Error Handling By default outputs all errors to stderr unless __NODE_ENV__ is "test". To perform custom error-handling logic such as centralized logging you diff --git a/lib/context.js b/lib/context.js index be4848c..1d4c14a 100644 --- a/lib/context.js +++ b/lib/context.js @@ -556,7 +556,8 @@ module.exports = { /** * Throw an error with `msg` and optional `status` - * defaulting to 500. + * defaulting to 500. Note that these are user-level + * errors, and the message may be exposed to the client. * * this.error(403) * this.error('name required', 400) @@ -576,6 +577,7 @@ module.exports = { var err = new Error(msg); err.status = status || 500; + err.expose = true; throw err; },