From 36fe405e0e7d5942f858073797cc85bb41739a1d Mon Sep 17 00:00:00 2001
From: Denis Badurina <denis@domonda.com>
Date: Tue, 20 Oct 2020 10:35:30 +0200
Subject: [PATCH] fix(server): Hide internal server error messages from the
 client in production

Closes: #31
---
 src/server.ts | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/server.ts b/src/server.ts
index 55848775..4c790991 100644
--- a/src/server.ts
+++ b/src/server.ts
@@ -220,6 +220,8 @@ export function createServer(
   options: ServerOptions,
   websocketOptionsOrServer: WebSocketServerOptions | WebSocketServer,
 ): Server {
+  const isProd = process.env.NODE_ENV === 'production';
+
   const {
     schema,
     context,
@@ -315,9 +317,11 @@ export function createServer(
       }
 
       if (isErrorEvent(errorOrClose)) {
-        // TODO-db-200805 leaking sensitive information by sending the error message too?
         // 1011: Internal Error
-        ctxRef.current.socket.close(1011, errorOrClose.message);
+        ctxRef.current.socket.close(
+          1011,
+          isProd ? 'Internal Error' : errorOrClose.message,
+        );
       }
 
       Object.entries(ctxRef.current.subscriptions).forEach(