fix: prevent fetchr to throw a 500 whenever a resource does not implement an operation #546
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
redonkulus
approved these changes
Nov 22, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We are getting some alerts on our systems whenever some bot our security scanner try to hit a fetchr resource using an operation that is not registered.
The most common case is when a resource only implements the
createmethod (which requires a POST request). The bots try to hit this resource with a GET request, which makes fetchr middleware to think that this is a areadoperation. Since the resource does not implement it, fetchr throws an error. Before this change this error wouldn't include a status code which would default to a 500. But since this is a client error and we are talking about not implemented methods, I thought that a 405 would be more appropriate.I really thought that this would be a trivial change (I actually tried it a long time ago, but I gave up and just decided to handle it in our services directly). The main issue is that
testCrudis used for both server and client tests. Even though the interface is the same, the errors are different: in the client, fetchr is mainly handling an http error andFetchrError.messageincludes the whole response body. But in the server (since there is no response yet),FetchrError.messageis just the error message itself. This is why you also see some refactoring here fortestCrudso we can do this differentiation in the test.The other issue that I found while solving this one is that we don't have a consistent way of throwing errors in the server. Sometimes it's handled in the middleware before triggering a fetchr request. In this case, we call express
nextfunction with a HttpError generated by fumble. But sometimes, we let the request go through fetchr and, if any error happens, we throw anFetchrErrorand handle the response within fetchr middleware. This behavior is quite visible now on the functional test where in the first case we get as response{ "message": "error" }and in the second case a{ "output": { "message": "error" }, "meta": {} }.This is not an issue to fetchr client since it can handle all kind of errors consistently. But it is an issue if one wants to consistently monitor/track errors on the server: the first case of errors must be handled in a custom express error middleware (as I added in the functional tests) and the second case must be handled within a fetchr
statsCollectorfunction.I confirm that this contribution is made under the terms of the license found in the root directory of this repository's source tree and that I have the authority necessary to make this contribution on behalf of its copyright owner.