fix(webapp): catch loader/action throws before Remix serializes them

Two webapp routes left their loader/action bodies uncaught. When the
underlying call (Prisma, etc.) threw, Remix's default error path
serialized `error.message` into the 500 response body, surfacing
implementation detail to API consumers — and via the SDK, to users.

This complements the earlier sweep over `catch (e) { return json({error:
e.message}, 500) }` shapes; that fix could not reach routes which had no
catch in the first place.

Each handler now wraps its body in try/catch, re-throws `Response`
instances so auth helpers' `throw json(...)` / `throw redirect(...)`
pass through unchanged, logs non-Response errors, and returns a generic
body. The polling changelogs widget returns `{ changelogs: [] }` 200
instead of a 500 — degrading silently across a transient blip is better
UX for a 60s-cadence widget, and the leak risk is identical (neither
shape carries the error message).

Covers:
- apps/webapp/app/routes/api.v1.projects.\$projectRef.envvars.\$slug.\$name.ts (loader + action)
- apps/webapp/app/routes/resources.platform-changelogs.tsx (loader)

Author: d-cs

.server-changes/sanitize-loader-action-leaks.md

@@ -0,0 +1,8 @@
+---
+area: webapp
+type: fix
+---
+
+Wrap two loaders/actions that previously let thrown errors propagate to Remix's default 500 serializer, which writes `error.message` into the response body. When the underlying call (Prisma, etc.) fails, the raw error string was reaching API consumers — including the SDK, which surfaces it back to users via `TriggerApiError`. Each handler now catches non-Response errors, logs server-side, and returns a generic 500 body. `throw json(...)` / `throw redirect(...)` from auth helpers is re-thrown unchanged.
+
+Covers `api.v1.projects.$projectRef.envvars.$slug.$name.ts` (loader + action) and `resources.platform-changelogs.tsx` (loader).

apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.$name.ts

@@ -7,6 +7,7 @@ import {
   authenticatedEnvironmentForAuthentication,
   branchNameFromRequest,
 } from "~/services/apiAuth.server";
+import { logger } from "~/services/logger.server";
 import { EnvironmentVariablesRepository } from "~/v3/environmentVariables/environmentVariablesRepository.server";
 
 const ParamsSchema = z.object({
@@ -22,73 +23,82 @@ export async function action({ params, request }: ActionFunctionArgs) {
     return json({ error: "Invalid params" }, { status: 400 });
   }
 
-  const authenticationResult = await authenticateRequest(request);
+  try {
+    const authenticationResult = await authenticateRequest(request);
 
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  const environment = await authenticatedEnvironmentForAuthentication(
-    authenticationResult,
-    parsedParams.data.projectRef,
-    parsedParams.data.slug,
-    branchNameFromRequest(request)
-  );
-
-  // Find the environment variable
-  const variable = await prisma.environmentVariable.findFirst({
-    where: {
-      key: parsedParams.data.name,
-      projectId: environment.project.id,
-    },
-  });
-
-  if (!variable) {
-    return json({ error: "Environment variable not found" }, { status: 404 });
-  }
-
-  const repository = new EnvironmentVariablesRepository();
-
-  switch (request.method.toUpperCase()) {
-    case "DELETE": {
-      const result = await repository.deleteValue(environment.project.id, {
-        id: variable.id,
-        environmentId: environment.id,
-      });
+    if (!authenticationResult) {
+      return json({ error: "Invalid or Missing API key" }, { status: 401 });
+    }
 
-      if (result.success) {
-        return json({ success: true });
-      } else {
-        return json({ error: result.error }, { status: 400 });
-      }
+    const environment = await authenticatedEnvironmentForAuthentication(
+      authenticationResult,
+      parsedParams.data.projectRef,
+      parsedParams.data.slug,
+      branchNameFromRequest(request)
+    );
+
+    // Find the environment variable
+    const variable = await prisma.environmentVariable.findFirst({
+      where: {
+        key: parsedParams.data.name,
+        projectId: environment.project.id,
+      },
+    });
+
+    if (!variable) {
+      return json({ error: "Environment variable not found" }, { status: 404 });
     }
-    case "PUT":
-    case "POST": {
-      const jsonBody = await request.json();
 
-      const body = UpdateEnvironmentVariableRequestBody.safeParse(jsonBody);
+    const repository = new EnvironmentVariablesRepository();
 
-      if (!body.success) {
-        return json({ error: "Invalid request body", issues: body.error.issues }, { status: 400 });
-      }
+    switch (request.method.toUpperCase()) {
+      case "DELETE": {
+        const result = await repository.deleteValue(environment.project.id, {
+          id: variable.id,
+          environmentId: environment.id,
+        });
 
-      const result = await repository.edit(environment.project.id, {
-        values: [
-          {
-            value: body.data.value,
-            environmentId: environment.id,
-          },
-        ],
-        id: variable.id,
-        keepEmptyValues: true,
-      });
-
-      if (result.success) {
-        return json({ success: true });
-      } else {
-        return json({ error: result.error }, { status: 400 });
+        if (result.success) {
+          return json({ success: true });
+        } else {
+          return json({ error: result.error }, { status: 400 });
+        }
+      }
+      case "PUT":
+      case "POST": {
+        const jsonBody = await request.json();
+
+        const body = UpdateEnvironmentVariableRequestBody.safeParse(jsonBody);
+
+        if (!body.success) {
+          return json(
+            { error: "Invalid request body", issues: body.error.issues },
+            { status: 400 }
+          );
+        }
+
+        const result = await repository.edit(environment.project.id, {
+          values: [
+            {
+              value: body.data.value,
+              environmentId: environment.id,
+            },
+          ],
+          id: variable.id,
+          keepEmptyValues: true,
+        });
+
+        if (result.success) {
+          return json({ success: true });
+        } else {
+          return json({ error: result.error }, { status: 400 });
+        }
       }
     }
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to update environment variable", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
   }
 }
 
@@ -99,48 +109,54 @@ export async function loader({ params, request }: LoaderFunctionArgs) {
     return json({ error: "Invalid params" }, { status: 400 });
   }
 
-  const authenticationResult = await authenticateRequest(request);
+  try {
+    const authenticationResult = await authenticateRequest(request);
 
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
+    if (!authenticationResult) {
+      return json({ error: "Invalid or Missing API key" }, { status: 401 });
+    }
 
-  const environment = await authenticatedEnvironmentForAuthentication(
-    authenticationResult,
-    parsedParams.data.projectRef,
-    parsedParams.data.slug,
-    branchNameFromRequest(request)
-  );
-
-  // Find the environment variable
-  const variable = await prisma.environmentVariable.findFirst({
-    where: {
-      key: parsedParams.data.name,
-      projectId: environment.project.id,
-    },
-  });
-
-  if (!variable) {
-    return json({ error: "Environment variable not found" }, { status: 404 });
-  }
+    const environment = await authenticatedEnvironmentForAuthentication(
+      authenticationResult,
+      parsedParams.data.projectRef,
+      parsedParams.data.slug,
+      branchNameFromRequest(request)
+    );
+
+    // Find the environment variable
+    const variable = await prisma.environmentVariable.findFirst({
+      where: {
+        key: parsedParams.data.name,
+        projectId: environment.project.id,
+      },
+    });
+
+    if (!variable) {
+      return json({ error: "Environment variable not found" }, { status: 404 });
+    }
 
-  const repository = new EnvironmentVariablesRepository();
+    const repository = new EnvironmentVariablesRepository();
 
-  const variables = await repository.getEnvironmentWithRedactedSecrets(
-    environment.project.id,
-    environment.id,
-    environment.parentEnvironmentId ?? undefined
-  );
+    const variables = await repository.getEnvironmentWithRedactedSecrets(
+      environment.project.id,
+      environment.id,
+      environment.parentEnvironmentId ?? undefined
+    );
 
-  const environmentVariable = variables.find((v) => v.key === parsedParams.data.name);
+    const environmentVariable = variables.find((v) => v.key === parsedParams.data.name);
 
-  if (!environmentVariable) {
-    return json({ error: "Environment variable not found" }, { status: 404 });
-  }
+    if (!environmentVariable) {
+      return json({ error: "Environment variable not found" }, { status: 404 });
+    }
 
-  return json({
-    name: environmentVariable.key,
-    value: environmentVariable.value,
-    isSecret: environmentVariable.isSecret,
-  });
+    return json({
+      name: environmentVariable.key,
+      value: environmentVariable.value,
+      isSecret: environmentVariable.isSecret,
+    });
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to get environment variable", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
+  }
 }

apps/webapp/app/routes/resources.platform-changelogs.tsx

@@ -2,6 +2,7 @@ import { json } from "@remix-run/node";
 import type { LoaderFunctionArgs } from "@remix-run/node";
 import { useFetcher, type ShouldRevalidateFunction } from "@remix-run/react";
 import { useEffect, useRef } from "react";
+import { logger } from "~/services/logger.server";
 import { requireUserId } from "~/services/session.server";
 import { getRecentChangelogs, verifyOrgMembership } from "~/services/platformNotifications.server";
 
@@ -12,20 +13,29 @@ export type PlatformChangelogsLoaderData = {
 };
 
 export async function loader({ request }: LoaderFunctionArgs) {
-  const userId = await requireUserId(request);
-  const url = new URL(request.url);
-  const rawOrganizationId = url.searchParams.get("organizationId") ?? undefined;
-  const rawProjectId = url.searchParams.get("projectId") ?? undefined;
+  try {
+    const userId = await requireUserId(request);
+    const url = new URL(request.url);
+    const rawOrganizationId = url.searchParams.get("organizationId") ?? undefined;
+    const rawProjectId = url.searchParams.get("projectId") ?? undefined;
 
-  const { organizationId, projectId } = await verifyOrgMembership({
-    userId,
-    organizationId: rawOrganizationId,
-    projectId: rawProjectId,
-  });
+    const { organizationId, projectId } = await verifyOrgMembership({
+      userId,
+      organizationId: rawOrganizationId,
+      projectId: rawProjectId,
+    });
 
-  const changelogs = await getRecentChangelogs({ userId, organizationId, projectId });
+    const changelogs = await getRecentChangelogs({ userId, organizationId, projectId });
 
-  return json<PlatformChangelogsLoaderData>({ changelogs });
+    return json<PlatformChangelogsLoaderData>({ changelogs });
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to load platform changelogs", { error });
+    // Polling widget — degrade silently so a transient DB blip doesn't paint
+    // the dashboard with errors every 60s. Empty payload keeps the consumer's
+    // fetcher.data shape stable; the fault is recorded server-side.
+    return json<PlatformChangelogsLoaderData>({ changelogs: [] });
+  }
 }
 
 const POLL_INTERVAL_MS = 60_000;