Handle errors from reddit #35
Conversation
A 401 code is still an Ok(<...>) response
|
Draft until the efficacy and the correctness of the conditional logic (see above) is verified. |
😅 That's because we try to avoid logging at all costs to preserve privacy. Probably not ideal for cases like this. That's why I want to eventually add more debug-only logging so if there's a problem, someone can run it in debug mode for themselves |
The error page is now a little more informative. It should probably be formatted better. I'm most worried about the privacy/security concerns for the host (the issue was there before): the status code and reason could be abducted, and an attacker could glean information from this error page.
|
Tokarak
force-pushed
the
pr-fix-error-handling
branch
from
d851b90 to
be4e9ec
Compare
|
I'm not sure how much of a vulnerability it is to have a user of the site know the status code returned from reddit - what kind of information would that leak? |
|
Probably not a concern, but it can leak information that Reddit knows about the host which is unknown by the client. I was thinking information about the Reddit-facing network interface, but I doubt Reddit would leak anything about that. A rationale is that the host is just a proxy for the client, and so everything Reddit sends should be forwarded to the client anyway. |
|
Just confirmed working! |
|
Sounds great, thanks! Merging. |
* Fix error handling logic A 401 code is still an Ok(<...>) response * Fix json key * Run `cargo fmt`
A 401 code is still an
Ok(<...>)response, so the error handling was in the wrong place.Hopefully the conditional logic (
json["reason"] == "Unauthorized") is correct;The information reported to the browser should be improved.
It's obvious that Libreddit wasn't designed with error-handling in mind.
Linked issue: #22