fix create-t3-app (and trpc) dangerous default?

By default, trpc (https://github.com/trpc/trpc/discussions/2071) and create-t3-app send server errors to clients
const t = initTRPC.context<Context>().create({
transformer: superjson,
errorFormatter({ shape }) {
return shape;
}
});
const t = initTRPC.context<Context>().create({
transformer: superjson,
errorFormatter({ shape }) {
return shape;
}
});
Here, shape contains the stack trace of the error and a message which can contain sensitive info. I updated my errorFormatter to hide these sensitive info:
// By default, trpc sends the stack trace of the error to the client. Remove
// these sensitive details before sending to the client.
errorFormatter({ error, shape }) {
const safeMessage = error.code === "INTERNAL_SERVER_ERROR" ? "Internal server error" : shape.message;
const { stack, path, ...safeData } = shape.data;

return {
...shape,
message: safeMessage,
data: {
...safeData,
}
};
// By default, trpc sends the stack trace of the error to the client. Remove
// these sensitive details before sending to the client.
errorFormatter({ error, shape }) {
const safeMessage = error.code === "INTERNAL_SERVER_ERROR" ? "Internal server error" : shape.message;
const { stack, path, ...safeData } = shape.data;

return {
...shape,
message: safeMessage,
data: {
...safeData,
}
};
Do you think it should be a default?
GitHub
Redact error message for client for status 500 errors · Discussion ...
I noticed the client side error message for unhandled server side errors contains the original error message. I don&#39;t think that is a good idea, at least for my case as those can be quite s...
1 Reply
Ambushfall
Ambushfall3y ago
I personally reckon the T3 Stack is just a starting point for you to do what you wish, I believe. Yeah, you should always select what you push client side. Not sure if it should be by default though.
Want results from more Discord servers?
Add your server