I want that if any validation breaks, then it should break my code and return with proper error message.

I used inbuilt validation function as below:

  Customer.validatesFormatOf('mobileno', {
    with: /^\+?([0-9]{2})\)?[-. ]?([0-9]{4})[-. ]?([0-9]{4})$/,
    message: 'Enter valid contact number'
  })

  Customer.validatesFormatOf('email', {
    with: /^\w+([\.-]?\w+)*@\w+([\.-]?\w+)*(\.\w{2,3})+$/,
    message: 'Enter valid Email'
  })

I have tried this with promise and callbacks too but result is negative.

I want that if my mobile no validation is true then only it will go for the email validation.

Description

I have enabled debug error output in my LoopBack 4 application by setting RestBindings.ERROR_WRITER_OPTIONS.
After this some errors resulted in no output at all. Just 500 response with zero content.

After some digging I've found that JSON.stringify was failing on circular references and it was taking the entire node process down. Thanks to pm2 it was automatically restarting.

Here's the error stack:

TypeError: Converting circular structure to JSON
    at JSON.stringify (<anonymous>)
    at sendJson (/labshare/storage-api/node_modules/strong-error-handler/lib/send-json.js:9:22)
    at Function.writeErrorToResponse (/labshare/storage-api/node_modules/strong-error-handler/lib/handler.js:69:3)
    at RejectProvider.action (/labshare/storage-api/node_modules/@loopback/rest/src/providers/reject.provider.ts:41:5)
    at MySequence.reject (/labshare/storage-api/node_modules/@loopback/rest/src/providers/reject.provider.ts:27:37)
    at MySequence.handle (/labshare/storage-api/src/sequence.ts:84:12)
    at processTicksAndRejections (internal/process/next_tick.js:81:5)

I'm going to make a PR to fix this.

See #40
This needs to be reopened and checked over.

My comment at the bottom shows that this bug is still present.

When we're writing remote methods on our models and explicitly returning an error with a statusCode and a message back up to the client, strong-error-handler should not be saying that there is an Unhandled Error, as we are clearly handling it with our methods, by the method defined in the loopback docs

Maybe if I get some free time later this week I can look into it, but for now one of the dedicated devs should really check this out.

Using the latest, loopback 3.6.0 locally and strongloop 6.0.3 globally.

Proposal from @bajtos on how to fix this issue - see #54 (comment)

As I see it, there are two parts

1. which errors to report (4xx, 5xx, or maybe only those with no explicit statusCode property)
2. what message to print

As for 1), we have deliberately decided to always print all errors, nothing's changing there.

As for 2), I agree that prefixing the log message with "Unhandled error" is misleading. I am proposing to change the message to Request {verb} {path} failed: {error} - see https://github.com/strongloop/strong-error-handler/blob/323cd4dfbffa3425d6d6bd00bd9ba93fbede5342/lib/logger.js

This issue is waiting for a volunteer to open a pull request and make the proposed change.

Description/Steps to reproduce

Hi, is it possible to extend xml error response to include custom messages instead of the current error template?

if (data.customError) {
    content = xml([data.message]); // assuming we're using xml library
  } else {
    content = js2xmlparser.parse('error', data);
  }

in lib/send-xml.js

and the error message used is:

{
  customError: true,
  message: {
    Response: [
      {
        _attr: { service: 'RoutePushService' }
      },
      {
        Head: 'ERR'
      },
      {
        ERROR: [
          {
            _attr: { code: '4001' }
          },
          'System data error or runtime exception'
        ]
      }
    ]
  }
}

Link to reproduction sandbox

Expected result

<Response service="RoutePushService">
    <Head>ERR</Head>
    <ERROR code="4001">System data error or runtime exception</ERROR>
</Response>

Additional information

https://github.com/strongloop/strong-remoting/blob/ac3093dcfbb787977ca0229b0f672703859e52e1/lib/rest-adapter.js#L394-L398

@bajtos do we want to preserve this behavior?
it fails a couple of test cases, or should we update the test cases?
https://github.com/strongloop/loopback/blob/70cec0755acc2b670987675c3bc63ecbfe9b473f/test/relations.integration.js#L266
https://github.com/strongloop/loopback/blob/70cec0755acc2b670987675c3bc63ecbfe9b473f/test/relations.integration.js#L1655

From #73

• After the release:
• Update places like loopback-workspace (both package.json and templates), loopback-sanbox to use the new major version of strong-error-handler.
• The same applies to other dependents - loopback dev-dependencies, strong-remoting dev-dependencies, etc.

Hi,

I am not sure if this issue belongs to strongloop or the strongloop error handler:

You can simply generate XSS-links by using the error handler. For example:

http://your-app.com/api/containers/images/download/<img onerror=alert(1) src=a>

This will produce an HTML document containing the image and the js-code in the error-title. If debug is set to true in the middleware the code gets rendered and executed three times.

Dependency setup:

"dependencies": {
    "compression": "^1.0.3",
    "cors": "^2.5.2",
    "gm": "^1.23.0",
    "helmet": "^1.3.0",
    "loopback": "^3.0.0",
    "loopback-boot": "^2.6.5",
    "loopback-component-explorer": "^4.0.0",
    "loopback-component-storage": "^3.2.0",
    "loopback-connector-postgresql": "^3.0.0",
    "loopback-ds-timestamp-mixin": "^3.4.1",
    "node-uuid": "^1.4.8",
    "serve-favicon": "^2.0.1",
    "strong-error-handler": "^2.0.0"
  },

Defined middleware:

{
  "final:after": {
    "strong-error-handler": {
      "params": {
        "debug": true,
        "log": true
      }
    }
  }
}

Bug or feature request

• Bug
• Feature request

Description of feature (or steps to reproduce if bug)

As of now, any error object that has no statusCode property will be handled as 5xx error and will not show error message in production.

This is a suggestion to show the message error for Assertion since the error thrown by assert is much used and not-so-simple to add statusCode property (can still be added using try-catch block, but to bothersome)

Link to sample repo to reproduce issue (if bug)

// debug: false
assert.ok(userId, 'userId is required');

Expected result

{
  "error": {
    "statusCode": 500,
    "name": "AssertionError",
    "message": "userId is required"
}

Actual result (if bug)

{
  "error": {
    "statusCode": 500,
    "name": "Internal Server Error"
}

Additional information (Node.js version, LoopBack version, etc)

For information purpose, I know this still can be achieved by try-catch block. But I am suggesting to handle it differently.

try {
  assert.ok(userId, 'userId is required');
} catch (error) {
  error.statusCode = 400;
  throw error;
}

Many thanks.

Hello World,

I'm writing an API that has long processing time, on some query I'd like to return a status 202 when request is pending and 201 when processing is done.

The problem I have is that strong-error-handler intercept the error < 400 and replace it by an error 500.

This is due to the line:
https://github.com/strongloop/strong-error-handler/blob/0ee193bb618f7d6a007d51f0c99e782a07d4093e/lib/data-builder.js#L69

I understand that the goal of strong-error-handler is to hide internal errors but 2xx or 3xx code are not really errors and I believe they should be shown to the user.

Could an option be added to prevent this behavior ? I would put this option in the remote method definition's json.

Implement HTML output using hard-coded templates shipped as part of this module.

See #1 for inspiration.

Customizing HTML templates is out of scope of this issue, see #3.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Awaiting Schedule

These updates are awaiting their schedule. Click on a checkbox to get an update now.

• chore: lock file maintenance

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore: update dependency eslint to v9
• chore: update dependency supertest to v7

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

I am using swagger-express-middleware to validate incoming requests with loopback remote methods.
When swagger-express-middleware request-validator fails, it raises an error object with error.status being the response status code (i.e. 5xx, 4xx).

The error is then propagated through strong-error-handler which fills in status code again through

function fillStatusCode(data, err) {
  data.statusCode = err.statusCode || err.status;
  if (!data.statusCode || data.statusCode < 400)
    data.statusCode = 500;
}

the original error is then cloned in

/**
 * clone the error properties to the data objects
 * [err.name,  err.message, err.stack] are not enumerable properties
 * @param data Object to be altered
 * @param err Error Object
 */
function cloneAllProperties(data, err) {
  data.name = err.name;
  data.message = err.message;
  for (var p in err) {
    if ((p in data)) continue;
    data[p] = err[p];
  }
  // stack is appended last to ensure order is the same for response
  data.stack = err.stack;
};

This results in payload that looks like :

{
        "name": "Error",
        "message": "Missing required query parameter 'xxx'",
        "statusCode": 400,
        "status": 400
}

Additionally there are two functions namely toJSON and stack having stacktrace.

is there a way to address duplication of statuscode ?

is there a way to remove toJSON and stack from payload ?

I am on loopback 3.x version

Description/Steps to reproduce

i'm running an app and get an issue:

Error: Cannot find module 'http-status'
    at Function.Module._resolveFilename (module.js:485:15)
    at Function.Module._load (module.js:437:25)
    at Module.require (module.js:513:17)
    at require (internal/module.js:11:18)
    at Object.<anonymous> (/app/node_modules/strong-error-handler/lib/data-builder.js:9:18)
    at Module._compile (module.js:569:30)
    at Object.Module._extensions..js (module.js:580:10)
    at Module.load (module.js:503:32)
    at tryModuleLoad (module.js:466:12)
    at Function.Module._load (module.js:458:3)
    at Module.require (module.js:513:17)
    at require (internal/module.js:11:18)
    at Object.<anonymous> (/app/node_modules/strong-error-handler/lib/handler.js:11:25)
    at Module._compile (module.js:569:30)
    at Object.Module._extensions..js (module.js:580:10)
    at Module.load (module.js:503:32)

and everything works fine on local machine

Note i figure it out, but maybe it'll be helpful for you - it works well with node v.9.4.0 and crashing when i use node v.8.1.4

Link to reproduction sandbox

Expected result

Additional information

Template Literal is fastest, smallest and simplest template engine, because it use JS's literal template feature,

It's 55 times faster than EJS, and it also use less CPU and RAM ressources, so it may be a good idea to use it instead of EJS 😀

At the moment, the handler can render only HTML, JSON or plain-text responses. We should implement support for XML too.

Safe fields introduced in #41 allow a safeFields array in options to copy properties from an error to the response payload in production mode.

If the safeFields array contains statusCode, then 500 type errors (which don't have a status code on them) will cause undefined to be copied to the response json payload, resulting in an undefined status code and an error from express.

Either the statusCode property needs to be special cased, or the fillSafeFields method needs to fallback to the existing properties in data if the given safe key is undefined in the error.

Currently, the stack trace is printed out on separate lines. When using Docker and a log aggregator, it results in one error being split across multiple lines. I believe by adding a config option (logFormat, maybe?, with possible values of default and json), this can all be condensed to a single line.

I plan to open a PR soon, if this idea is not abhorrent to anyone.

I will focus on this function. I will add a format argument to the function signature.
https://github.com/strongloop/strong-error-handler/blob/e1a0f5954f8cded5774c86dd86aba55383a22424/lib/logger.js#L11-L22

Is it possible to use Portuguese for the error messages?

Description of feature (or steps to reproduce if bug)

Using loopback as an example, we can call POST with /users with an array of objects repeatedly such as below

[
  {
    "id": 1,
    "firstname": "Allen"
  },
  {
    "id": 2,
    "firstname": "Bob"
  }
]

with this middleware config:

"final:after": {
        "strong-error-handler": {
            "params": {
                "log": false,
                "safeFields": ["name", "message", "details"]
            }
        }
    }

Expected result

{
  "error": {
    "statusCode": 500,
    "name": "ArrayOfErrors",
    "message": "Failed with multiple errors, see `details` for more information.",
    "details": [
      {
        "name": "Error",
        "message": "ER_DUP_ENTRY: Duplicate entry '2' for key 'PRIMARY'",
        "code": "ER_DUP_ENTRY",
        "errno": 1062,
        "sqlState": "23000",
        "index": 0
      },
      {
        "name": "Error",
        "message": "ER_DUP_ENTRY: Duplicate entry '3' for key 'PRIMARY'",
        "code": "ER_DUP_ENTRY",
        "errno": 1062,
        "sqlState": "23000",
        "index": 0,
      }
    ]
  }
}

Actual result (if bug)

{
  "error": {
    "statusCode": 500
  }
}

Additional information (Node.js version, LoopBack version, etc)

"loopback": "^3.0.0",
"strong-error-handler": "^1.0.1"

Description/Steps to reproduce

npm install strong-error-handler, then npm audit

shows vulnerability in lodash in dependancy strong-globalize

Link to reproduction sandbox

N/A

Expected result

no vulnerabilities

Additional information

reported in strong-globalize strongloop/strong-globalize#139

Should update dependancy once udpated.

The migration from express error handler to strong-error-handler is a bit confusing. It needs more careful review, and proper steps in order to ensure proper migration.
The code snippets in the migration guide need to state when and where to be used.
What is the default option and what is a requirement and what is not.

The handleErrors: false part needs to be stated where and when to be used as well.

CC:/ @superkhau @ritch @crandmck

See strongloop/loopback#1650 (comment)

  // a custom JSON serializer function for producing JSON response bodies
  // @param sanitizedData: response data containing only safe properties
  // @param originalError: the original Error object
  jsonSerializer: function(sanitizedData, originalError) {
    if (originalError.name === 'ValidationError') {
      var details = sanitizedData.details || {};
      sanitizedData.issueCount =  details.codes && Object.keys(details.codes).length;
    }
    return sanitizedData;
  }

See strongloop/loopback#1650 (comment) for more details.

  // Array of fields (custom Error properties) that are safe to include
  // in response messages (both 4xx and 5xx).
  // "details" property is always included in 4xx responses (not in 5xx)
  safeFields: ['errorCode'],

Description

When installing this package an additional file named grafana-enterprise-9.2.4.darwin-amd64.tar.gz is seen under node_modules/strong-error-handler . But this file is not present in the source code

Steps to reproduce

• Create a new npm project: npm init

• npm i strong-error-handler

Expected result

No additional files should be seen in node_modules/strong-error-handler apart from files in source code

Actual result

Additional tar file grafana-enterprise-9.2.4.darwin-amd64.tar.gz is seen

Additional information

linux x64 18.12.1

Bug or feature request

• Bug
• Feature request

Description of feature (or steps to reproduce if bug)

Link to sample repo to reproduce issue (if bug)

Expected result

Actual result (if bug)

Additional information (Node.js version, LoopBack version, etc)

Customize html templates in strong-error-handler, see strongloop/loopback#1650 (comment) for details.

Configuration options:

// map of templates to use for rendering responses
views: {
  // the default view
  default: path.resolve(__dirname, 'views/error-default.jade'),
  404: path.resolve(__dirname, 'views/error-not-found.jade'),
  // etc.
},

// map of static files to send as a response
files: {
  // default: path.resolve(__dirname, 'public/error.html'),
  401: path.resolve(__dirname, 'views/error-unauthorized.html'),
  // etc.
},

Requires #5

see #31

Description/Steps to reproduce

As brought up in loopbackio/loopback-next#1598, strong-error-handler should be able to support expose property set in errors thrown with HttpError from http-errors module.

Its interaction with the debug setting in strong-error-handler is yet to be decided.

Hello.

I'm required to return error responses in the below format

{
  "code": "BAD_ARGUMENTS"
  ...
}

But currently send-json.js restricts us to the below format

{
  "error": {
    "code": "BAD_ARGUMENTS"
    ...
  }
}

Is there a solution to this that does not involve me maintaining multiple forks?

Thanks

Description of feature (or steps to reproduce if bug)

With the introduction of strong-error-handler in 3.0, we're seeing validation and access errors logging an "Unhandled error" to console. We consider the error to have been handled correctly, and so would like an easy way to suppress these messages for certain error codes (potentially all 4xx). I think this should be the default behavior - and at least easy to configure.

You can see the "unhandled error" being recorded here: https://github.com/strongloop/strong-error-handler/blob/master/lib/logger.js

You can find some extra context in this Google Groups discussion)

Link to sample repo to reproduce issue (if bug)

Instructions to replicate provided by Buck Bito in the Google Groups discussion

The quick test to reproduce with 2.38.0 or 3.2.1:

1. Use lb to create a fresh "api-server (A LoopBack API server with local User auth)"
2. cd into the project dir
3. node . (to start app)
4. Open API explorer in browser
5. Go to User > GET /Users and "Try it out!"

Expected result

Familiar error response body in the Explorer.

Actual result (if bug)

Familiar error response body in the Explorer and Unhandled Error in the console.

Additional information (Node.js version, LoopBack version, etc)

Description of feature (or steps to reproduce if bug)

negotiateContentProducer in lib/content-negotiation.js has its arguments in the incorrect order. It lists them in the comments as req, options, logWarning but in the signature as req, logWarning, options.

Added https://docs.strongloop.com/display/APIC/Using+strong-error-handler that incorporates the README content.

From @loay:

• The express error-handler was basically meant for development modes and we had to add few properties to disable stack traces in our Loopback modules in order to prevent leaking sensitive information. Strong-error-handler works for both environments as written in the description and can protect the leak of sensitive info in production.
• It is already in Loopback scafolldiing and gets generated with new loopback apps.
• I fail to see the relation with the debug strings, which is meant for debugging and not error handling.
  • Yes, but strong-error-handler has a "debug mode", and first sentence of README says "...for use in development (debug)..." so it begs the question. I think the key distinction that I was reaching for is that strong-error-handler only affects HTTP response content and return codes, NOT anything written to the console (by default). In contrast the LB debug strings only affect info printed to the console. ... That may be obvious to you (us), but not necc. to user immediately. Please confirm.

From @bajtos:
I think there should be a brief description of why someone should use this module.
See the information in strongloop/loopback#1650
It would be great to copy useful bits from that issue into the official LoopBack docs, possibly to strong-error-handler's README too.

Quoting from strongloop/loopback#2123 (comment)

please take this into account while working on the production-grade error handler, to make sure it correctly handles errors that are not Error instances.

We need to support an array of errors here. See how strong-remoting does it now and implement similar logic here: https://github.com/strongloop/strong-remoting/pull/289/files

Support plain-text response output.

See #1 for inspiration.

Is this only compatible with express?