elysia icon indicating copy to clipboard operation
elysia copied to clipboard

Published 20 hours ago verified publisher icon elysiajs

Elysia does not display error details when in production mode

Open emilcondrea opened this issue 9 months ago • 1 comments

What version of Elysia is running?

1.2.12

What platform is your computer?

Darwin 23.1.0 arm64 arm

What steps can reproduce the bug?

set NODE_ENV=production make a request to an API with a required field, it will not display summary

What is the expected behavior?

Display detailed error why something failed

{
  "type": "validation",
  "on": "params",
  "summary": "Expected string length greater or equal to 10",
  "property": "/fieldname",
  "message": "Expected string length greater or equal to 10",
  "expected": {
    "fieldname": "somevalue"
  },
  "found": {
    "fieldname": "a"
  },
  "errors": [
    {
      "summary": "Expected string length greater or equal to 10",
      "type": 52,
      "schema": {
        "minLength": 10,
        "default": "somevalue",
        "type": "string"
      },
      "path": "/fieldname",
      "value": "a",
      "message": "Expected string length greater or equal to 10",
      "errors": []
    }
  ]
}

What do you see instead?

{ "type": "validation", "on": "params", "found": { "fieldname": "a" } }

Additional information

No response

Have you try removing the node_modules and bun.lockb and try again yet?

yes

emilcondrea avatar Feb 12 '25 09:02 emilcondrea

Having the same issue. I didn't know my error messages were not showing up for a long time until a user reported it in production. My users are seeing a JSON that tells nothing about the error making me unable to use it to show a proper message.

pauldps avatar Mar 02 '25 09:03 pauldps

Same here.

wilssola avatar Jul 29 '25 17:07 wilssola

This is an expected behavior. Elysia omits the expected structure of the route by default for a security reason

This is to prevent a malicious attacker from identifying the structure of the request, preventing the attacker from identifying an attack surface from the Elysia API

You wouldn't hand off a sheet describing how the private API expect and works to anyone, this is the same reason

Having the same issue. I didn't know my error messages were not showing up for a long time until a user reported it in production. My users are seeing a JSON that tells nothing about the error making me unable to use it to show a proper message.

You can define a custom error message as follows

new Elysia().post('/', () => {}, {
    body: t.Object({
        name: t.String({
            error: 'name is missing'
        })
    })
})

Close as not planned, and won't fix

SaltyAom avatar Aug 09 '25 14:08 SaltyAom