vivekpprakash/eventify_backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: never expose internal exceptions to API callers

Browse Source 
All except blocks in user.py and events.py now log the real
error server-side (via eventify_logger) and return a generic
"An unexpected server error occurred." message to the client.
Python tracebacks, model field names, and ORM errors are no
longer visible in API responses.
This commit is contained in:
Sicherhaven
2026-04-03 09:23:26 +05:30
parent fc5aa555e5
commit a5bdde278d
2 changed files with 30 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
mobile_api/views/events.py
View File

@@ -13,6 +13,7 @@ from datetime import datetime, timedelta
import calendar import calendar
import math import math
from mobile_api.utils import validate_token_and_get_user from mobile_api.utils import validate_token_and_get_user
from eventify_logger.services import log
def _haversine_km(lat1, lon1, lat2, lon2): def _haversine_km(lat1, lon1, lat2, lon2):
@@ -43,7 +44,8 @@ class EventTypeListAPIView(APIView):
event_types.append(event_type_data) event_types.append(event_type_data)
return JsonResponse({"status": "success", "event_types": event_types}) return JsonResponse({"status": "success", "event_types": event_types})
except Exception as e: except Exception as e:
return JsonResponse({"status": "error", "message": str(e)}) log("error", "EventTypeAPI exception", request=request, logger_data={"error": str(e)})
return JsonResponse({"status": "error", "message": "An unexpected server error occurred."})
class EventListAPI(APIView): class EventListAPI(APIView):
@@ -198,7 +200,8 @@ class EventListAPI(APIView):
"radius_km": used_radius, "radius_km": used_radius,
}) })
except Exception as e: except Exception as e:
return JsonResponse({"status": "error", "message": str(e)}) log("error", "EventListAPI exception", request=request, logger_data={"error": str(e)})
return JsonResponse({"status": "error", "message": "An unexpected server error occurred."})
class EventDetailAPI(APIView): class EventDetailAPI(APIView):
@@ -224,7 +227,8 @@ class EventDetailAPI(APIView):
event_data["images"] = event_images_list event_data["images"] = event_images_list
return JsonResponse(event_data) return JsonResponse(event_data)
except Exception as e: except Exception as e:
return JsonResponse({"status": "error", "message": str(e)}) log("error", "EventDetailAPI exception", request=request, logger_data={"error": str(e)})
return JsonResponse({"status": "error", "message": "An unexpected server error occurred."})
class EventImagesListAPI(APIView): class EventImagesListAPI(APIView):
@@ -252,8 +256,9 @@ class EventImagesListAPI(APIView):
return JsonResponse(res_data) return JsonResponse(res_data)
except Exception as e: except Exception as e:
log("error", "EventImagesListAPI exception", request=request, logger_data={"error": str(e)})
return JsonResponse( return JsonResponse(
{"status": "error", "message": str(e)}, {"status": "error", "message": "An unexpected server error occurred."},
) )
@@ -291,8 +296,9 @@ class EventsByCategoryAPI(APIView):
}) })
except Exception as e: except Exception as e:
log("error", "EventsByDateAPI exception", request=request, logger_data={"error": str(e)})
return JsonResponse( return JsonResponse(
{"status": "error", "message": str(e)}, {"status": "error", "message": "An unexpected server error occurred."},
) )
@@ -413,10 +419,11 @@ class EventsByMonthYearAPI(APIView):
"total_number_of_events": total_events, "total_number_of_events": total_events,
"date_events": date_events "date_events": date_events
}) })
except Exception as e: except Exception as e:
log("error", "DateSheetAPI exception", request=request, logger_data={"error": str(e)})
return JsonResponse( return JsonResponse(
{"status": "error", "message": str(e)}, {"status": "error", "message": "An unexpected server error occurred."},
) )
@@ -466,15 +473,16 @@ class EventsByDateAPI(APIView):
data_dict['thumb_img'] = '' data_dict['thumb_img'] = ''
event_list.append(data_dict) event_list.append(data_dict)
return JsonResponse({ return JsonResponse({
"status": "success", "status": "success",
"events": event_list "events": event_list
}) })
except Exception as e: except Exception as e:
log("error", "PincodeEventsAPI exception", request=request, logger_data={"error": str(e)})
return JsonResponse( return JsonResponse(
{"status": "error", "message": str(e)}, {"status": "error", "message": "An unexpected server error occurred."},
) )
@@ -503,7 +511,8 @@ class FeaturedEventsAPI(APIView):
return JsonResponse({"status": "success", "events": event_list}) return JsonResponse({"status": "success", "events": event_list})
except Exception as e: except Exception as e:
return JsonResponse({"status": "error", "message": str(e)}) log("error", "FeaturedEventsAPI exception", request=request, logger_data={"error": str(e)})
return JsonResponse({"status": "error", "message": "An unexpected server error occurred."})
@method_decorator(csrf_exempt, name='dispatch') @method_decorator(csrf_exempt, name='dispatch')
@@ -531,4 +540,5 @@ class TopEventsAPI(APIView):
return JsonResponse({"status": "success", "events": event_list}) return JsonResponse({"status": "success", "events": event_list})
except Exception as e: except Exception as e:
return JsonResponse({"status": "error", "message": str(e)}) log("error", "TopEventsAPI exception", request=request, logger_data={"error": str(e)})
return JsonResponse({"status": "error", "message": "An unexpected server error occurred."})

14
mobile_api/views/user.py
View File

@@ -29,7 +29,7 @@ class RegisterView(View):
return JsonResponse({'errors': form.errors}, status=400) return JsonResponse({'errors': form.errors}, status=400)
except Exception as e: except Exception as e:
log("error", "API registration exception", request=request, logger_data={"error": str(e)}) log("error", "API registration exception", request=request, logger_data={"error": str(e)})
return JsonResponse({'error': str(e)}, status=500) return JsonResponse({'error': 'An unexpected server error occurred. Please try again.'}, status=500)
@method_decorator(csrf_exempt, name='dispatch') @method_decorator(csrf_exempt, name='dispatch')
@@ -64,7 +64,7 @@ class WebRegisterView(View):
return JsonResponse({'errors': form.errors}, status=400) return JsonResponse({'errors': form.errors}, status=400)
except Exception as e: except Exception as e:
log("error", "Web registration exception", request=request, logger_data={"error": str(e)}) log("error", "Web registration exception", request=request, logger_data={"error": str(e)})
return JsonResponse({'error': str(e)}, status=500) return JsonResponse({'error': 'An unexpected server error occurred. Please try again.'}, status=500)
@method_decorator(csrf_exempt, name='dispatch') @method_decorator(csrf_exempt, name='dispatch')
@@ -108,7 +108,7 @@ class LoginView(View):
return JsonResponse(simplify_form_errors(form), status=401) return JsonResponse(simplify_form_errors(form), status=401)
except Exception as e: except Exception as e:
log("error", "API login exception", request=request, logger_data={"error": str(e)}) log("error", "API login exception", request=request, logger_data={"error": str(e)})
return JsonResponse({'error': str(e)}, status=500) return JsonResponse({'error': 'An unexpected server error occurred. Please try again.'}, status=500)
@method_decorator(csrf_exempt, name='dispatch') @method_decorator(csrf_exempt, name='dispatch')
@@ -127,7 +127,8 @@ class StatusView(View):
}) })
except Exception as e: except Exception as e:
return JsonResponse({"status": "error", "message": str(e)}, status=500) log("error", "API status exception", request=request, logger_data={"error": str(e)})
return JsonResponse({"status": "error", "message": "An unexpected server error occurred."}, status=500)
@method_decorator(csrf_exempt, name='dispatch') @method_decorator(csrf_exempt, name='dispatch')
@@ -152,7 +153,7 @@ class LogoutView(View):
except Exception as e: except Exception as e:
log("error", "API logout exception", request=request, logger_data={"error": str(e)}) log("error", "API logout exception", request=request, logger_data={"error": str(e)})
return JsonResponse({"status": "error", "message": str(e)}, status=500) return JsonResponse({"status": "error", "message": "An unexpected server error occurred."}, status=500)
@method_decorator(csrf_exempt, name='dispatch') @method_decorator(csrf_exempt, name='dispatch')
@@ -330,7 +331,8 @@ class UpdateProfileView(View):
}, status=400) }, status=400)
except Exception as e: except Exception as e:
log("error", "API update profile exception", request=request, logger_data={"error": str(e)})
return JsonResponse({ return JsonResponse({
'success': False, 'success': False,
'error': str(e) 'error': 'An unexpected server error occurred. Please try again.'
}, status=500) }, status=500)