security: never expose internal exceptions to API callers
All except blocks in user.py and events.py now log the real error server-side (via eventify_logger) and return a generic "An unexpected server error occurred." message to the client. Python tracebacks, model field names, and ORM errors are no longer visible in API responses. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -29,7 +29,7 @@ class RegisterView(View):
|
||||
return JsonResponse({'errors': form.errors}, status=400)
|
||||
except Exception as e:
|
||||
log("error", "API registration exception", request=request, logger_data={"error": str(e)})
|
||||
return JsonResponse({'error': str(e)}, status=500)
|
||||
return JsonResponse({'error': 'An unexpected server error occurred. Please try again.'}, status=500)
|
||||
|
||||
|
||||
@method_decorator(csrf_exempt, name='dispatch')
|
||||
@@ -64,7 +64,7 @@ class WebRegisterView(View):
|
||||
return JsonResponse({'errors': form.errors}, status=400)
|
||||
except Exception as e:
|
||||
log("error", "Web registration exception", request=request, logger_data={"error": str(e)})
|
||||
return JsonResponse({'error': str(e)}, status=500)
|
||||
return JsonResponse({'error': 'An unexpected server error occurred. Please try again.'}, status=500)
|
||||
|
||||
|
||||
@method_decorator(csrf_exempt, name='dispatch')
|
||||
@@ -108,7 +108,7 @@ class LoginView(View):
|
||||
return JsonResponse(simplify_form_errors(form), status=401)
|
||||
except Exception as e:
|
||||
log("error", "API login exception", request=request, logger_data={"error": str(e)})
|
||||
return JsonResponse({'error': str(e)}, status=500)
|
||||
return JsonResponse({'error': 'An unexpected server error occurred. Please try again.'}, status=500)
|
||||
|
||||
|
||||
@method_decorator(csrf_exempt, name='dispatch')
|
||||
@@ -127,7 +127,8 @@ class StatusView(View):
|
||||
})
|
||||
|
||||
except Exception as e:
|
||||
return JsonResponse({"status": "error", "message": str(e)}, status=500)
|
||||
log("error", "API status exception", request=request, logger_data={"error": str(e)})
|
||||
return JsonResponse({"status": "error", "message": "An unexpected server error occurred."}, status=500)
|
||||
|
||||
|
||||
@method_decorator(csrf_exempt, name='dispatch')
|
||||
@@ -152,7 +153,7 @@ class LogoutView(View):
|
||||
|
||||
except Exception as e:
|
||||
log("error", "API logout exception", request=request, logger_data={"error": str(e)})
|
||||
return JsonResponse({"status": "error", "message": str(e)}, status=500)
|
||||
return JsonResponse({"status": "error", "message": "An unexpected server error occurred."}, status=500)
|
||||
|
||||
|
||||
@method_decorator(csrf_exempt, name='dispatch')
|
||||
@@ -330,7 +331,8 @@ class UpdateProfileView(View):
|
||||
}, status=400)
|
||||
|
||||
except Exception as e:
|
||||
log("error", "API update profile exception", request=request, logger_data={"error": str(e)})
|
||||
return JsonResponse({
|
||||
'success': False,
|
||||
'error': str(e)
|
||||
'error': 'An unexpected server error occurred. Please try again.'
|
||||
}, status=500)
|
||||
|
||||
Reference in New Issue
Block a user