From 777aad54833087f28ed5747e8aa22d3e5b24d1fb Mon Sep 17 00:00:00 2001
From: Knut Ahlers <knut@ahlers.me>
Date: Wed, 14 Jun 2023 15:20:14 +0200
Subject: [PATCH] Log API errors in server log

and hide error details from client in order not to expose secrets

Signed-off-by: Knut Ahlers <knut@ahlers.me>
---
 api.go           | 24 +++++++++++++++++-------
 go.mod           |  4 ++--
 go.sum           |  4 ++--
 storage_mem.go   |  2 +-
 storage_redis.go |  2 +-
 5 files changed, 23 insertions(+), 13 deletions(-)

diff --git a/api.go b/api.go
index a9f3106..a0d0497 100644
--- a/api.go
+++ b/api.go
@@ -2,11 +2,14 @@ package main
 
 import (
 	"encoding/json"
+	"errors"
 	"net/http"
 	"strings"
 	"time"
 
+	"github.com/gofrs/uuid"
 	"github.com/gorilla/mux"
+	"github.com/sirupsen/logrus"
 )
 
 type apiServer struct {
@@ -41,7 +44,7 @@ func (a apiServer) handleCreate(res http.ResponseWriter, r *http.Request) {
 	if strings.HasPrefix(r.Header.Get("Content-Type"), "application/json") {
 		tmp := apiRequest{}
 		if err := json.NewDecoder(r.Body).Decode(&tmp); err != nil {
-			a.errorResponse(res, http.StatusBadRequest, err.Error())
+			a.errorResponse(res, http.StatusBadRequest, err, "decoding request body")
 			return
 		}
 		secret = tmp.Secret
@@ -50,13 +53,13 @@ func (a apiServer) handleCreate(res http.ResponseWriter, r *http.Request) {
 	}
 
 	if secret == "" {
-		a.errorResponse(res, http.StatusBadRequest, "Secret missing")
+		a.errorResponse(res, http.StatusBadRequest, errors.New("secret missing"), "")
 		return
 	}
 
 	id, err := a.store.Create(secret, time.Duration(cfg.SecretExpiry)*time.Second)
 	if err != nil {
-		a.errorResponse(res, http.StatusInternalServerError, err.Error())
+		a.errorResponse(res, http.StatusInternalServerError, err, "creating secret")
 		return
 	}
 
@@ -70,7 +73,7 @@ func (a apiServer) handleRead(res http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	id := vars["id"]
 	if id == "" {
-		a.errorResponse(res, http.StatusBadRequest, "ID missing")
+		a.errorResponse(res, http.StatusBadRequest, errors.New("id missing"), "")
 		return
 	}
 
@@ -80,7 +83,7 @@ func (a apiServer) handleRead(res http.ResponseWriter, r *http.Request) {
 		if err == errSecretNotFound {
 			status = http.StatusNotFound
 		}
-		a.errorResponse(res, status, err.Error())
+		a.errorResponse(res, status, err, "reading & destroying secret")
 		return
 	}
 
@@ -90,9 +93,16 @@ func (a apiServer) handleRead(res http.ResponseWriter, r *http.Request) {
 	})
 }
 
-func (a apiServer) errorResponse(res http.ResponseWriter, status int, msg string) {
+func (a apiServer) errorResponse(res http.ResponseWriter, status int, err error, desc string) {
+	errID := uuid.Must(uuid.NewV4()).String()
+
+	if desc != "" {
+		// No description: Nothing interesting for the server log
+		logrus.WithField("err_id", errID).WithError(err).Error(desc)
+	}
+
 	a.jsonResponse(res, status, apiResponse{
-		Error: msg,
+		Error: errID,
 	})
 }
 
diff --git a/go.mod b/go.mod
index 6ae964c..2f7505b 100644
--- a/go.mod
+++ b/go.mod
@@ -5,11 +5,12 @@ go 1.20
 require (
 	github.com/Luzifer/go_helpers/v2 v2.18.0
 	github.com/Luzifer/rconfig/v2 v2.4.0
-	github.com/gofrs/uuid/v3 v3.1.2
+	github.com/gofrs/uuid v4.4.0+incompatible
 	github.com/gorilla/mux v1.8.0
 	github.com/pkg/errors v0.9.1
 	github.com/redis/go-redis/v9 v9.0.5
 	github.com/sirupsen/logrus v1.9.3
+	gopkg.in/yaml.v2 v2.4.0
 )
 
 require (
@@ -18,5 +19,4 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	golang.org/x/sys v0.8.0 // indirect
 	gopkg.in/validator.v2 v2.0.1 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
 )
diff --git a/go.sum b/go.sum
index 2210742..530e25e 100644
--- a/go.sum
+++ b/go.sum
@@ -12,8 +12,8 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
-github.com/gofrs/uuid/v3 v3.1.2 h1:V3IBv1oU82x6YIr5txe3azVHgmOKYdyKQTowm9moBlY=
-github.com/gofrs/uuid/v3 v3.1.2/go.mod h1:xPwMqoocQ1L5G6pXX5BcE7N5jlzn2o19oqAKxwZW/kI=
+github.com/gofrs/uuid v4.4.0+incompatible h1:3qXRTX8/NbyulANqlc0lchS1gqAVxRgsuW1YrTJupqA=
+github.com/gofrs/uuid v4.4.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
 github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
 github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
diff --git a/storage_mem.go b/storage_mem.go
index 6d9988b..2273f45 100644
--- a/storage_mem.go
+++ b/storage_mem.go
@@ -3,7 +3,7 @@ package main
 import (
 	"time"
 
-	"github.com/gofrs/uuid/v3"
+	"github.com/gofrs/uuid"
 )
 
 type memStorageSecret struct {
diff --git a/storage_redis.go b/storage_redis.go
index 09c27cc..fe841d6 100644
--- a/storage_redis.go
+++ b/storage_redis.go
@@ -7,7 +7,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/gofrs/uuid/v3"
+	"github.com/gofrs/uuid"
 	"github.com/pkg/errors"
 	redis "github.com/redis/go-redis/v9"
 )