n1ru4l · saihaj · Sep 8, 2022 · Sep 5, 2022 · Sep 5, 2022 · Sep 5, 2022
diff --git a/.changeset/rude-cats-peel.md b/.changeset/rude-cats-peel.md
@@ -0,0 +1,8 @@
+---
+'@envelop/core': major
+---
+
+Remove `handleValidationErrors` and `handleParseErrors` options from `useMaskedErrors`.
+
+> ONLY masking validation errors OR ONLY disabling introspection errors does not make sense, as both can be abused for reverse-engineering the GraphQL schema (see https://github.com/nikitastupin/clairvoyance for reverse-engineering the schema based on validation error suggestions).
+> https://github.com/n1ru4l/envelop/issues/1482#issue-1340015060
diff --git a/packages/core/docs/use-masked-errors.md b/packages/core/docs/use-masked-errors.md
@@ -0,0 +1,62 @@
+#### `useMaskedErrors`
+
+Prevent unexpected error messages from leaking to the GraphQL clients.
+
+```ts
+import { envelop, useSchema, useMaskedErrors } from '@envelop/core'
+import { makeExecutableSchema, GraphQLError } from 'graphql'
+
+const schema = makeExecutableSchema({
+  typeDefs: /* GraphQL */ `
+    type Query {
+      something: String!
+      somethingElse: String!
+      somethingSpecial: String!
+    }
+  `,
+  resolvers: {
+    Query: {
+      something: () => {
+        throw new GraphQLError('Error that is propagated to the clients.')
+      },
+      somethingElse: () => {
+        throw new Error("Unsafe error that will be masked as 'Unexpected Error.'.")
+      },
+      somethingSpecial: () => {
+        throw new GraphQLError('The error will have an extensions field.', {
+          code: 'ERR_CODE',
+          randomNumber: 123
+        })
+      }
+    }
+  }
+})
+
+const getEnveloped = envelop({
+  plugins: [useSchema(schema), useMaskedErrors()]
+})
+```
+
+You may customize the default error message `Unexpected error.` with your own `errorMessage`:
+
+```ts
+const getEnveloped = envelop({
+  plugins: [useSchema(schema), useMaskedErrors({ errorMessage: 'Something went wrong.' })]
+})
+```
+
+Or provide a custom formatter when masking the output:
+
+```ts
+export const customFormatError: FormatErrorHandler = err => {
+  if (err.originalError) {
+    return new GraphQLError('Sorry, something went wrong.')
+  }
+
+  return err
+}
+
+const getEnveloped = envelop({
+  plugins: [useSchema(schema), useMaskedErrors({ formatError: customFormatError })]
+})
+```
diff --git a/packages/core/src/plugins/use-masked-errors.ts b/packages/core/src/plugins/use-masked-errors.ts
@@ -0,0 +1,87 @@
+import { Plugin, ExecutionResult } from '@envelop/types';
+import { handleStreamOrSingleExecutionResult } from '../utils.js';
+
+export const DEFAULT_ERROR_MESSAGE = 'Unexpected error.';
+
+export type MaskErrorFn = (error: unknown, message: string) => Error;
+
+export type SerializableGraphQLErrorLike = Error & {
+  name: 'GraphQLError';
+  toJSON(): { message: string };
+};
+
+export function isGraphQLError(error: unknown): error is Error & { originalError?: Error } {
+  return error instanceof Error && error.name === 'GraphQLError';
+}
+
+export function createSerializableGraphQLError(message: string): SerializableGraphQLErrorLike {
+  const error = new Error(message);
+  error.name = 'GraphQLError';
+  Object.defineProperty(error, 'toJSON', {
+    value() {
+      return {
+        message: error.message,
+      };
+    },
+  });
+  return error as SerializableGraphQLErrorLike;
+}
+
+export const defaultMaskErrorFn: MaskErrorFn = (err, message) => {
+  if (isGraphQLError(err)) {
+    if (err?.originalError) {
+      if (isGraphQLError(err.originalError)) {
+        return err;
+      }
+      return createSerializableGraphQLError(message);
+    }
+    return err;
+  }
+  return createSerializableGraphQLError(message);
+};
+
+export type UseMaskedErrorsOpts = {
+  /** The function used for identify and mask errors. */
+  maskErrorFn?: MaskErrorFn;
+  /** The error message that shall be used for masked errors. */
+  errorMessage?: string;
+};
+
+const makeHandleResult =
+  (maskErrorFn: MaskErrorFn, message: string) =>
+  ({ result, setResult }: { result: ExecutionResult; setResult: (result: ExecutionResult) => void }) => {
+    if (result.errors != null) {
+      setResult({ ...result, errors: result.errors.map(error => maskErrorFn(error, message)) });
+    }
+  };
+
+export const useMaskedErrors = (opts?: UseMaskedErrorsOpts): Plugin => {
+  const maskErrorFn = opts?.maskErrorFn ?? defaultMaskErrorFn;
+  const message = opts?.errorMessage || DEFAULT_ERROR_MESSAGE;
+  const handleResult = makeHandleResult(maskErrorFn, message);
+
+  return {
+    onPluginInit(context) {
+      context.registerContextErrorHandler(({ error, setError }) => {
+        setError(maskErrorFn(error, message));
+      });
+    },
+    onExecute() {
+      return {
+        onExecuteDone(payload) {
+          return handleStreamOrSingleExecutionResult(payload, handleResult);
+        },
+      };
+    },
+    onSubscribe() {
+      return {
+        onSubscribeResult(payload) {
+          return handleStreamOrSingleExecutionResult(payload, handleResult);
+        },
+        onSubscribeError({ error, setError }) {
+          setError(maskErrorFn(error, message));
+        },
+      };
+    },
+  };
+};