fix(api): gate typed-error message exposure behind publicMessage opt-in

Author: waleedlatif1

apps/sim/executor/utils/block-reference.ts

@@ -32,17 +32,19 @@ export interface BlockReferenceResult {
 
 export class InvalidFieldError extends Error {
   readonly statusCode = 400
+  readonly publicMessage: string
 
   constructor(
     public readonly blockName: string,
     public readonly fieldPath: string,
     public readonly availableFields: string[]
   ) {
-    super(
+    const message =
       `"${fieldPath}" doesn't exist on block "${blockName}". ` +
-        `Available fields: ${availableFields.length > 0 ? availableFields.join(', ') : 'none'}`
-    )
+      `Available fields: ${availableFields.length > 0 ? availableFields.join(', ') : 'none'}`
+    super(message)
     this.name = 'InvalidFieldError'
+    this.publicMessage = message
   }
 }
 

apps/sim/lib/core/utils/with-route-handler.ts

@@ -11,17 +11,36 @@ type RouteHandler<T = unknown> = (
   context: T
 ) => Promise<NextResponse | Response> | NextResponse | Response
 
+function defaultMessageForStatus(status: number): string {
+  if (status >= 500) return 'Internal server error'
+  if (status === 401) return 'Unauthorized'
+  if (status === 403) return 'Forbidden'
+  if (status === 404) return 'Not Found'
+  if (status === 409) return 'Conflict'
+  return 'Request failed'
+}
+
 /**
  * Reads a numeric `statusCode` (4xx or 5xx) off an Error so typed domain errors
  * (e.g. `WorkspaceAccessDeniedError`) can map to the correct HTTP status when
- * they bubble up unhandled instead of defaulting to 500.
+ * they bubble up unhandled instead of defaulting to 500. Returns both the
+ * status and a client-safe message: the error's own `publicMessage` if it
+ * opted in, otherwise a generic per-status string. The raw `error.message` is
+ * never exposed by this fallback — domain errors must explicitly mark their
+ * message as safe to expose, preventing accidental leakage of internal details
+ * from typed errors that didn't intend to be user-facing.
  */
-function readTypedErrorStatus(error: unknown): number | undefined {
+function readTypedErrorResponse(error: unknown): { status: number; message: string } | undefined {
   if (!(error instanceof Error)) return undefined
-  const status = (error as { statusCode?: unknown }).statusCode
+  const typed = error as { statusCode?: unknown; publicMessage?: unknown }
+  const status = typed.statusCode
   if (typeof status !== 'number') return undefined
   if (status < 400 || status >= 600) return undefined
-  return status
+  const message =
+    typeof typed.publicMessage === 'string' && typed.publicMessage.length > 0
+      ? typed.publicMessage
+      : defaultMessageForStatus(status)
+  return { status, message }
 }
 
 /**
@@ -47,17 +66,28 @@ export function withRouteHandler<T>(handler: RouteHandler<T>): RouteHandler<T> {
         response = await handler(request, context)
       } catch (error) {
         const duration = Date.now() - startTime
-        const message = getErrorMessage(error, 'Unknown error')
-        const typedStatus = readTypedErrorStatus(error)
-        if (typedStatus !== undefined) {
-          if (typedStatus >= 500) {
-            logger.error('Unhandled route error', { duration, status: typedStatus, error: message })
+        const rawMessage = getErrorMessage(error, 'Unknown error')
+        const typed = readTypedErrorResponse(error)
+        if (typed !== undefined) {
+          if (typed.status >= 500) {
+            logger.error('Unhandled route error', {
+              duration,
+              status: typed.status,
+              error: rawMessage,
+            })
           } else {
-            logger.warn('Typed route error', { duration, status: typedStatus, error: message })
+            logger.warn('Typed route error', {
+              duration,
+              status: typed.status,
+              error: rawMessage,
+            })
           }
-          response = NextResponse.json({ error: message, requestId }, { status: typedStatus })
+          response = NextResponse.json(
+            { error: typed.message, requestId },
+            { status: typed.status }
+          )
         } else {
-          logger.error('Unhandled route error', { duration, error: message })
+          logger.error('Unhandled route error', { duration, error: rawMessage })
           response = NextResponse.json(
             { error: 'Internal server error', requestId },
             { status: 500 }

apps/sim/lib/workspaces/permissions/utils.ts

@@ -151,10 +151,13 @@ export async function checkWorkspaceAccess(
  * Thrown when a user attempts to access a workspace they don't have access to,
  * or that doesn't exist / has been archived. Carries `statusCode = 403` so route
  * handlers and the centralized route wrapper can map it to HTTP 403 instead of
- * defaulting to 500.
+ * defaulting to 500. `publicMessage` is the client-safe string the centralized
+ * wrapper exposes — the `message` (which includes the workspaceId) is kept for
+ * server-side logs only.
  */
 export class WorkspaceAccessDeniedError extends Error {
   readonly statusCode = 403
+  readonly publicMessage = 'Workspace access denied'
   readonly workspaceId: string
 
   constructor(workspaceId: string) {