security: never expose internal exceptions to API callers

All except blocks in user.py and events.py now log the real error server-side (via eventify_logger) and return a generic "An unexpected server error occurred." message to the client. Python tracebacks, model field names, and ORM errors are no longer visible in API responses.
2026-04-03 09:23:26 +05:30
parent fc5aa555e5
commit a5bdde278d
2 changed files with 30 additions and 18 deletions
--- a/mobile_api/views/events.py
+++ b/mobile_api/views/events.py
@@ -13,6 +13,7 @@ from datetime import datetime, timedelta
 import calendar
 import math
 from mobile_api.utils import validate_token_and_get_user
+from eventify_logger.services import log


 def _haversine_km(lat1, lon1, lat2, lon2):
@@ -43,7 +44,8 @@ class EventTypeListAPIView(APIView):
                event_types.append(event_type_data)
            return JsonResponse({"status": "success", "event_types": event_types})
        except Exception as e:
-            return JsonResponse({"status": "error", "message": str(e)})
+            log("error", "EventTypeAPI exception", request=request, logger_data={"error": str(e)})
+            return JsonResponse({"status": "error", "message": "An unexpected server error occurred."})


 class EventListAPI(APIView):
@@ -198,7 +200,8 @@ class EventListAPI(APIView):
                "radius_km": used_radius,
            })
        except Exception as e:
-            return JsonResponse({"status": "error", "message": str(e)})
+            log("error", "EventListAPI exception", request=request, logger_data={"error": str(e)})
+            return JsonResponse({"status": "error", "message": "An unexpected server error occurred."})


 class EventDetailAPI(APIView):
@@ -224,7 +227,8 @@ class EventDetailAPI(APIView):
            event_data["images"] = event_images_list
            return JsonResponse(event_data)
        except Exception as e:
-            return JsonResponse({"status": "error", "message": str(e)})
+            log("error", "EventDetailAPI exception", request=request, logger_data={"error": str(e)})
+            return JsonResponse({"status": "error", "message": "An unexpected server error occurred."})


 class EventImagesListAPI(APIView):
@@ -252,8 +256,9 @@ class EventImagesListAPI(APIView):
            return JsonResponse(res_data)

        except Exception as e:
+            log("error", "EventImagesListAPI exception", request=request, logger_data={"error": str(e)})
            return JsonResponse(
-                {"status": "error", "message": str(e)},
+                {"status": "error", "message": "An unexpected server error occurred."},
            )


@@ -291,8 +296,9 @@ class EventsByCategoryAPI(APIView):
            })

        except Exception as e:
+            log("error", "EventsByDateAPI exception", request=request, logger_data={"error": str(e)})
            return JsonResponse(
-                {"status": "error", "message": str(e)},
+                {"status": "error", "message": "An unexpected server error occurred."},
            )


@@ -413,10 +419,11 @@ class EventsByMonthYearAPI(APIView):
                "total_number_of_events": total_events,
                "date_events": date_events
            })
-                
+
        except Exception as e:
+            log("error", "DateSheetAPI exception", request=request, logger_data={"error": str(e)})
            return JsonResponse(
-                {"status": "error", "message": str(e)},
+                {"status": "error", "message": "An unexpected server error occurred."},
            )


@@ -466,15 +473,16 @@ class EventsByDateAPI(APIView):
                    data_dict['thumb_img'] = ''
                
                event_list.append(data_dict)
-            
+
            return JsonResponse({
                "status": "success",
                "events": event_list
            })
-                
+
        except Exception as e:
+            log("error", "PincodeEventsAPI exception", request=request, logger_data={"error": str(e)})
            return JsonResponse(
-                {"status": "error", "message": str(e)},
+                {"status": "error", "message": "An unexpected server error occurred."},
            )


@@ -503,7 +511,8 @@ class FeaturedEventsAPI(APIView):

            return JsonResponse({"status": "success", "events": event_list})
        except Exception as e:
-            return JsonResponse({"status": "error", "message": str(e)})
+            log("error", "FeaturedEventsAPI exception", request=request, logger_data={"error": str(e)})
+            return JsonResponse({"status": "error", "message": "An unexpected server error occurred."})


@method_decorator(csrf_exempt, name='dispatch')
@@ -531,4 +540,5 @@ class TopEventsAPI(APIView):

            return JsonResponse({"status": "success", "events": event_list})
        except Exception as e:
-            return JsonResponse({"status": "error", "message": str(e)})
+            log("error", "TopEventsAPI exception", request=request, logger_data={"error": str(e)})
+            return JsonResponse({"status": "error", "message": "An unexpected server error occurred."})
--- a/mobile_api/views/user.py
+++ b/mobile_api/views/user.py
@@ -29,7 +29,7 @@ class RegisterView(View):
            return JsonResponse({'errors': form.errors}, status=400)
        except Exception as e:
            log("error", "API registration exception", request=request, logger_data={"error": str(e)})
-            return JsonResponse({'error': str(e)}, status=500)
+            return JsonResponse({'error': 'An unexpected server error occurred. Please try again.'}, status=500)


@method_decorator(csrf_exempt, name='dispatch')
@@ -64,7 +64,7 @@ class WebRegisterView(View):
            return JsonResponse({'errors': form.errors}, status=400)
        except Exception as e:
            log("error", "Web registration exception", request=request, logger_data={"error": str(e)})
-            return JsonResponse({'error': str(e)}, status=500)
+            return JsonResponse({'error': 'An unexpected server error occurred. Please try again.'}, status=500)


@method_decorator(csrf_exempt, name='dispatch')
@@ -108,7 +108,7 @@ class LoginView(View):
            return JsonResponse(simplify_form_errors(form), status=401)
        except Exception as e:
            log("error", "API login exception", request=request, logger_data={"error": str(e)})
-            return JsonResponse({'error': str(e)}, status=500)
+            return JsonResponse({'error': 'An unexpected server error occurred. Please try again.'}, status=500)


@method_decorator(csrf_exempt, name='dispatch')
@@ -127,7 +127,8 @@ class StatusView(View):
            })

        except Exception as e:
-            return JsonResponse({"status": "error", "message": str(e)}, status=500)
+            log("error", "API status exception", request=request, logger_data={"error": str(e)})
+            return JsonResponse({"status": "error", "message": "An unexpected server error occurred."}, status=500)


@method_decorator(csrf_exempt, name='dispatch')
@@ -152,7 +153,7 @@ class LogoutView(View):

        except Exception as e:
            log("error", "API logout exception", request=request, logger_data={"error": str(e)})
-            return JsonResponse({"status": "error", "message": str(e)}, status=500)
+            return JsonResponse({"status": "error", "message": "An unexpected server error occurred."}, status=500)


@method_decorator(csrf_exempt, name='dispatch')
@@ -330,7 +331,8 @@ class UpdateProfileView(View):
                }, status=400)

        except Exception as e:
+            log("error", "API update profile exception", request=request, logger_data={"error": str(e)})
            return JsonResponse({
                'success': False,
-                'error': str(e)
+                'error': 'An unexpected server error occurred. Please try again.'
            }, status=500)