Mark argument as sensitive to avoid printing it during errors?
Is there a way to mark arguments as sensitive so that when there are errors convex will not print out the variable value in the error messages? For example I pass a "header" arg to some functions which contains an api key that I use to verify a user has permission to run a query/mutation. If something goes wrong though it will print out all the args in plaintext which is not behavior I ever want to be possible for this arg:
6 Replies
There isn’t any built in functionality for this, you’ll want to try/catch to control error reporting.
@Kyle interesting idea though, we'll have to think it over
Yeah it would be helpful, kind of like how terraform allows you to mark variables as sensitive, or how github actions automatically hides secrets that get logged (although I doubt you can do anything automatically for arbitrary args)
Is the concern about these messages appearing to your end users (e.g. when they make a malformed request)? Or appearing in your own logs (e.g. Dashboard logs page) and seeing user details?
For the former, check out https://docs.convex.dev/functions/error-handling/#differences-in-error-reporting-between-dev-and-prod but I believe errors like this won't show up in prod deployments (so shouldn't have to worry about your users seeing these messages).
Error Handling | Convex Developer Hub
There are four reasons why your Convex
Ah, that's a great point. I'm more concerned about them showing up to the end users via error messages (and them losing trust in security by seeing secrets in plaintext). If these messages don't show up in prod then I think that prevents the issue, all this was happening on the dev environment with dev keys.
And if you do want to pass through details in prod, you can use ConvexError, where you'll want to only put in non-sensitive information.