Closed zwippie closed 3 years ago
Those should be converted to ActionClauseError or CastError, which is status 4xx and should not report by default. If it does, you can ignore it in your reporting tools. If you get another error, please post the exception here. Thanks!
TLDR: Prevent runtime error when malformed login params are received, to prevent leaking those possibly sensitive params to logs or external monitoring services.
Scenario: User/Client wants to login but it sends the credentials in a wrong format, for example the
email
andpassword
are not wrapped in a map with auser
key, orpassword
is misspelled aspass
, anything. Some reasons: developer implemented specs poorly, specs have changed, hacking attempt, dev playing with curl or some API-explorer tool. Anyway...The way
UserSessionController#create
is defined, things will raise an error if you throw malformed params to it.This is fine, until you connect a monitoring service to your app (like appsignal) and (while sensitive keys are filtered from params and session_data) these incorrect params show up in the error message in an error report. Oops.
Your thoughts please. Is this a real issue or am I being overly sensitive on what most probably would be a stupid developer mistake anyway (sending malformed params)?