fix: scrub raw error messages from error boundary before display#472
Merged
Priyanshu-byte-coder merged 1 commit intoMay 21, 2026
Conversation
error.tsx rendered error.message directly in a <code> block, leaking Supabase constraint names, table names, and auth token details to any user who hit a runtime error. Adds getSafeMessage() which returns a generic message in production, maps known error types (TokenRevoked) to user-friendly copy, and preserves the raw message only in development. Also gates console.error behind NODE_ENV !== production to avoid flooding browser consoles in prod. error.digest is still surfaced for support correlation without exposing internals. Fixes Priyanshu-byte-coder#452
|
@advikdivekar is attempting to deploy a commit to the PRIYANSHU DOSHI's projects Team on Vercel. A member of the Team first needs to authorize it. |
github-actions
Bot
added
gssoc26
GSSoC Label Checklist 🏷️@Priyanshu-byte-coder — please apply the appropriate labels before merging: Difficulty (pick one):
Quality (optional):
Validation (required to score):
|
Priyanshu-byte-coder
merged commit 306bd3a
into
Priyanshu-byte-coder:main
4 checks passed
Priyanshu-byte-coder
added
level:beginner
10 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #452
error.tsxrenderederror.messagedirectly inside a<code>block with no sanitisation. Any runtime error — Supabase constraint violations,console.error(error)also fired unconditionally in the browser, including in production.Changes
getSafeMessage(error)— new helper that:TokenRevoked) to user-friendly copy viaSAFE_ERROR_MESSAGESproductionfor all other errorsdevelopment(useful for debugging)<code>block removed —error.messageis no longer rendered in JSX; onlygetSafeMessage(error)iserror.digestsurfaced — shown as "Error ID" when present, so support can correlate without leaking internalsconsole.errorgated — only fires in non-production; areportToSentry(error)hook comment is left for wiring up real error reportingTest plan
"supabaseUrl is required."→ shows generic message, not raw text"duplicate key value violates unique constraint '...'"→ shows generic messageTokenRevokederror → shows"Your GitHub session has expired. Please sign in again."TokenRevoked→ same user-friendly mapping applieserror.digestshown as Error ID when present (allows support correlation)console.errornot called in production (verified by gating onNODE_ENV !== "production")npm run lintandnpm run type-checkpass with zero errors