security enhancement

Author: riyons

README.md

@@ -6,7 +6,7 @@
 ![GitHub issues](https://img.shields.io/github/issues/riyons/nextjs-centralized-error-handler)
 ![GitHub license](https://img.shields.io/github/license/riyons/nextjs-centralized-error-handler)
 
-A comprehensive error-handling package designed specifically for Next.js applications. This package provides centralized error handling through custom error classes and higher-order functions, solving common limitations in Next.js API routes. By serializing error messages in a frontend-compatible format, it enhances frontend-backend integration, making it easy to handle errors across the entire stack.
+**A comprehensive, secure error-handling package designed specifically for Next.js applications.** By leveraging centralized error handling through custom error classes and a higher-order function, this package overcomes limitations in Next.js API routes, where traditional middleware isn’t supported. It catches all errors—both expected and unexpected—ensuring consistent responses, preventing information leakage, and eliminating the need for repetitive `try-catch` blocks. Errors are serialized in a frontend-compatible JSON format, enhancing frontend-backend integration and delivering user-friendly feedback. Ideal for scalable applications, `nextjs-centralized-error-handler` simplifies error management across the entire stack while maintaining robust security.
 
 ## Table of Contents
 
@@ -27,6 +27,7 @@ A comprehensive error-handling package designed specifically for Next.js applica
 - [Customizing Error Handling Behavior](#customizing-error-handling-behavior)
   - [Error Handler Options](#error-handler-options)
   - [Customizing Error Responses](#customizing-error-responses)
+- [Security Considerations](#security-considerations)
 - [Examples](#examples)
 - [Integration with Logging Services](#integration-with-logging-services)
   - [Enhanced Logging with Sentry](#enhanced-logging-with-sentry)
@@ -263,6 +264,49 @@ Developers can pass a `formatError` function to customize how errors are returne
 
 ---
 
+## Security Considerations
+
+### Comprehensive Exception Handling
+The provided `errorHandler` higher-order function catches all exceptions in the route handler—not just those thrown using the package's custom error classes. This approach intercepts any uncaught errors, regardless of their origin, which eliminates the need for repetitive `try-catch` blocks in each route. By wrapping your route handlers with `errorHandler`, you rely on a consistent, centralized error-handling strategy across all routes, minimizing code redundancy and enhancing maintainability.
+
+### Preventing Information Leakage
+The `errorHandler` is designed to prevent sensitive information from being exposed to clients:
+
+- **Custom Errors Only**: Only errors that are instances of `CustomError` (or its subclasses) will have their `statusCode` and `message` sent to the client. This provides meaningful, user-friendly error messages for known issues.
+
+- **Generic Handling of Other Errors**: For unexpected errors (such as those thrown by third-party libraries or unanticipated issues), `errorHandler` defaults to a `statusCode` of 500 and a generic error message, ensuring internal server details are kept private.
+
+### Example: Handling Unexpected Errors Safely
+Consider an API route that relies on a third-party library, which may throw errors we can’t predict:
+
+```javascript
+const { errorHandler } = require('nextjs-centralized-error-handler');
+
+const handler = async (req, res) => {
+  // An error from a third-party library
+  await thirdPartyLibrary.doSomething(); // Throws an unexpected error
+};
+
+export default errorHandler(handler);
+```
+### What Happens Under the Hood
+If `thirdPartyLibrary.doSomething()` throws an error that isn’t a `CustomError`, `errorHandler` will:
+
+1. **Set `statusCode`** to 500 (or the configured `defaultStatusCode`).
+2. **Set `message`** to "An internal server error occurred. Please try again later." (or `defaultMessage` if configured).
+3. **Prevent Information Leakage**: Ensures no sensitive details (e.g., the original error message or stack trace) are sent to the client.
+4. **Log the Error Server-Side**: Uses the provided logger for internal monitoring to record the error.
+
+### Note on Error Handling Strategy
+The `errorHandler` function distinguishes between custom errors and unexpected errors:
+
+- **Custom Errors (`CustomError` instances)**: The specific `statusCode` and `message` you define are sent to the client, offering clear and user-friendly feedback for known issues.
+- **Other Errors**: A default `statusCode` and message are used to safeguard against information leakage from unexpected errors.
+
+By catching all errors in this way, `nextjs-centralized-error-handler` provides a robust, secure, and unified error-handling solution tailored for Next.js applications, with built-in protections to prevent unintended data exposure.
+
+---
+
 ## Examples
 
 Here are a few real-world scenarios that showcase the package’s usage:

package.json

@@ -1,6 +1,6 @@
 {
   "name": "nextjs-centralized-error-handler",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "main": "index.js",
   "scripts": {
     "test": "jest",

src/errorHandler.js

@@ -1,8 +1,10 @@
 // src/errorHandler.js
 
+const { CustomError } = require('./customErrors'); // Ensure you import CustomError
+
 function errorHandler(handler, options = {}) {
   const {
-    logger = console.error, // Default to console.error
+    logger = console.error,
     defaultStatusCode = 500,
     defaultMessage = 'An internal server error occurred. Please try again later.',
     formatError = null,
@@ -12,28 +14,27 @@ function errorHandler(handler, options = {}) {
     try {
       await handler(req, res);
     } catch (error) {
-      // Log the error
       logger('API Route Error:', error);
 
-      // Determine status code and message
-      const statusCode = error.statusCode || defaultStatusCode;
-      const message =
-        statusCode === 500 ? defaultMessage : error.message || defaultMessage;
+      let statusCode = defaultStatusCode;
+      let message = defaultMessage;
+
+      if (error instanceof CustomError) {
+        statusCode = error.statusCode;
+        message = error.message || defaultMessage;
+      }
 
-      // Build error response
       let errorResponse = {
         error: {
           message,
           type: error.name || 'Error',
         },
       };
 
-      // Allow custom error formatting
       if (formatError && typeof formatError === 'function') {
         errorResponse = formatError(error, req);
       }
 
-      // Send response
       res.status(statusCode).json(errorResponse);
     }
   };

tests/errorHandler.test.js

@@ -1,7 +1,7 @@
 // tests/errorHandler.test.js
 
 const errorHandler = require('../src/errorHandler');
-const { BadRequestError } = require('../src/customErrors');
+const { BadRequestError, CustomError } = require('../src/customErrors');
 
 beforeAll(() => {
   jest.spyOn(console, 'error').mockImplementation(() => {});
@@ -137,3 +137,29 @@ describe('errorHandler with custom formatError', () => {
     });
   });
 });
+
+describe('errorHandler security', () => {
+  test('should use default status code and message for non-custom errors', async () => {
+    const req = {};
+    const res = {
+      status: jest.fn().mockReturnThis(),
+      json: jest.fn(),
+    };
+
+    const handler = async () => {
+      const error = new Error('Sensitive internal error message');
+      error.statusCode = 400; // Error with statusCode and message
+      throw error;
+    };
+
+    await errorHandler(handler)(req, res);
+
+    expect(res.status).toHaveBeenCalledWith(500); // Should use defaultStatusCode
+    expect(res.json).toHaveBeenCalledWith({
+      error: {
+        message: 'An internal server error occurred. Please try again later.', // Should use defaultMessage
+        type: 'Error',
+      },
+    });
+  });
+});