1 reply

fix create-t3-app (and trpc) dangerous default?

By default, trpc (https://github.com/trpc/trpc/discussions/2071) and create-t3-app send server errors to clients

const t = initTRPC.context<Context>().create({
  transformer: superjson,
  errorFormatter({ shape }) {
    return shape;
  }
});

const t = initTRPC.context<Context>().create({
  transformer: superjson,
  errorFormatter({ shape }) {
    return shape;
  }
});

const t = initTRPC.context<Context>().create({
  transformer: superjson,
  errorFormatter({ shape }) {
    return shape;
  }
});

const t = initTRPC.context<Context>().create({
  transformer: superjson,
  errorFormatter({ shape }) {
    return shape;
  }
});

Here, shape contains the stack trace of the error and a message which can contain sensitive info.

I updated my errorFormatter to hide these sensitive info:

  // By default, trpc sends the stack trace of the error to the client. Remove
  // these sensitive details before sending to the client.
  errorFormatter({ error, shape }) {
    const safeMessage = error.code === "INTERNAL_SERVER_ERROR" ? "Internal server error" : shape.message;
    const { stack, path, ...safeData } = shape.data;

    return {
      ...shape,
      message: safeMessage,
      data: {
        ...safeData,
      }
    };

  // By default, trpc sends the stack trace of the error to the client. Remove
  // these sensitive details before sending to the client.
  errorFormatter({ error, shape }) {
    const safeMessage = error.code === "INTERNAL_SERVER_ERROR" ? "Internal server error" : shape.message;
    const { stack, path, ...safeData } = shape.data;

    return {
      ...shape,
      message: safeMessage,
      data: {
        ...safeData,
      }
    };

  // By default, trpc sends the stack trace of the error to the client. Remove
  // these sensitive details before sending to the client.
  errorFormatter({ error, shape }) {
    const safeMessage = error.code === "INTERNAL_SERVER_ERROR" ? "Internal server error" : shape.message;
    const { stack, path, ...safeData } = shape.data;

    return {
      ...shape,
      message: safeMessage,
      data: {
        ...safeData,
      }
    };

  // By default, trpc sends the stack trace of the error to the client. Remove
  // these sensitive details before sending to the client.
  errorFormatter({ error, shape }) {
    const safeMessage = error.code === "INTERNAL_SERVER_ERROR" ? "Internal server error" : shape.message;
    const { stack, path, ...safeData } = shape.data;

    return {
      ...shape,
      message: safeMessage,
      data: {
        ...safeData,
      }
    };

Do you think it should be a default?

GitHub

Redact error message for client for status 500 errors · Discussion ...

I noticed the client side error message for unhandled server side errors contains the original error message. I don't think that is a good idea, at least for my case as those can be quite s...

fix create-t3-app (and trpc) dangerous default?

Similar Threads

Similar Threads

Similar Threads