feat: error_hint and error_debug are now exposed through error_description

[mitar]

Related issue

Fixes #456.

Proposed changes

When error_description is send out, it includes now error_hint (if present) and error_debug (if present and enabled to be send). Because error_description is standard this allows easier access to that information.

error_hint and error_debug fields are left as-is for backwards compatibility purposes. error_verbose is added to provide only the old error description.

Checklist

• I have read the contributing guidelines
• I have read the security policy
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security vulnerability, I
  confirm that I got green light (please contact
  security@ory.sh) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation within the code base (if appropriate)

[mitar]

Closing and reopening to trigger tests to run.

[aeneasr]

Great work! I think this will appear in a couple of other places as well (introspection?). I also had the idea that we could improve all of this a bit more by making RFCError a JSONUnmarshaller and add a method AsQueryString() string which would do the modifications instead of handling this. The only problem would be that f.SendDebugMessagesToClients would need to be passed to these functions somehow.

[aeneasr]

Once again, sorry for the late review! By the way, if you allow edits from maintainers I should be able to synch the branches and make the nancy failure go away :)

[mitar]

By the way, if you allow edits from maintainers I should be able to synch the branches and make the nancy failure go away

It should already be on.

[aeneasr]

Yes, my bad, I had to change something in the repository settings!

[mitar]

About JSONUnmarshaller, yea, I have no idea how to pass this, unless we do something like:

if !config.SendDebugMessagesToClients {
   error = error.WithDebug("")
}

And then leave to JSONUnmarshaller to serialize.

[mitar]

Or maybe we make Sanitize method on the error, which does the above, accepting boolean if it should sanitize or not. And then you call error.Sanitize(!config.SendDebugMessagesToClients) or something.

[aeneasr]

Hm yeah in that case it probably makes sense to just keep it as is!

[aeneasr]

Just to double-check, this would now be good for merge right?

[mitar]

No, I have not yet updated it based on your comments. My plan is:

• Make descriptions multi line (I am personally not too sure about it, but if you like it, sure).
• Make ErrorToRFC6749Error return by value, not ref.
• Implement JSONUnmarshaller and AsQueryString.
• Add Sanitize.

[aeneasr]

Ok sounds good :)

[mitar]

This is not necessary.

[mitar]

This condition was unnecessary and always true.

[mitar]

I simplified the logic here a bit. ErrorToRFC6749Error uses Cause internally as well, so I think this now is clearer and easier to read.

[mitar]

@aeneasr I finished things from my side. Please review again. When merging, please squash commits. (Or do you want me to squash them?)

[aeneasr]

All good, I'll squash them :)

[mitar]

Please see my comments above and tell me your final decisions so that I know what to do.

[aeneasr]

Thank you, almost there :) Still on vacation until September 23rd so response times might be a bit longer!

[mitar]

I updated the PR.

Enjoy vacations, no hurry with this one.

[aeneasr]

Nice! :)

[nerocrux]

@mitar @aeneasr
Thank you for your work!
It's not important but I wonder if it is possible to provide an option for removing error_verbose from the error response because the message in error_verbose and error_description feels duplicated for me.

[mitar]

I would suggest we simply make UnmarshalJSON always return an error and remove error_verbose altogether. So error_verbose is there just to support UnmarshalJSON, but UnmarshalJSON is not really needed/used at all in this codebase. I implemented it just for completeness.

[mitar]

Also, how people feel about removing error_hint and error_debug? Or should we just maybe mark them in a comment as 'deprecated pending future removal" and then remove them in half a year or so?

[nerocrux]

@mitar
Thank you for your reply.

I would suggest we simply make UnmarshalJSON always return an error and remove error_verbose altogether.

I agree with you.

how people feel about removing error_hint and error_debug?

I'm a user of fosite (not hydra) so my opinion's maybe not complete but I'm totally OK with removing error_hint and error_debug (merging them into error_description).

[lazeratops]

Came here to ask about the same thing - error_verbose seems redundant. If error_hint and error_debug are already merged into error_description I am fine removing them (as a caveat also just a fosite user, not hydra, not sure exactly how it would affect hydra users). To clarify for sanity purposes, to ensure I am seeing intended behaviour: the only one of these fields that is not intended to be exposed back to the client by default is error_debug, correct?

[aeneasr]

Those fields will be eventually deprecated. In the meanwhile, simply ignore them!

[lazeratops]

We can definitely ask the client to ignore them; the main reason I was asking is to confirm that our auth service is not leaking any info that it shouldn't and is up to spec with the RFC. When we run WriteAuthorizeError() via the fosite provider, the response fosite produces to send back to the client does include those error_verbose fields and error hints in its current state. I wanted to confirm that we are not meant to be sanitizing any of this away (except for the debug info, which is already sanitized by fosite)

[mitar]

Yes, those are fine. There is no extra information provided with these new fields, just merging them into error_description.

[nerocrux]

Thanks. I'm OK with this. But please allow me to confirm:

1. There is no way to remove error_verbose from error response (e.g. token endpoint) and the decision is we don't remove it for now.
2. Do you have any plan on the deprecation of these fields?

Thank you.

[aeneasr]

Yes, these will be deprecated in the upcoming release!

[aeneasr]

For anyone following this thread - I had to introduce some changes to this original PR. You can find the changeset here: e463674