Throw user-friendly exception with the proper HTTP statuscode

[tvdijen]

Closes #2233

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 44.92%. Comparing base (7470c4c) to head (441b72e).
Report is 1 commits behind head on simplesamlphp-2.3.

Additional details and impacted files

@@                   Coverage Diff                   @@
##             simplesamlphp-2.3    #2234      +/-   ##
=======================================================
+ Coverage                44.90%   44.92%   +0.01%     
- Complexity                3895     3898       +3     
=======================================================
  Files                      162      163       +1     
  Lines                    12982    12998      +16     
=======================================================
+ Hits                      5830     5839       +9     
- Misses                    7152     7159       +7     

[tvdijen]

[tvdijen]

Note to self: should fix the debug info box overflow

[thijskh]

It makes it a lot friendlier, but I think the core issue remains and that is that OPTIONS and HEAD requests will still be logging exceptions and I doubt we want that. You get a lot of OPTIONS passing by from browsers etc that should just be silently responded to with a 405 but not generate a lot of logging. I think.

[tvdijen]

I'm not sure we can fix that entirely...
We can stop logging this specific error, but that kind of defeats the purpose of the debug.backtraces = true setting...

One possible solution could be to add a parameter to Error::show() to pass the desired log-level. This would allow us to upscale or downscale exceptions.. In this particular case we could downscale to debug-level to hide the tracebacks (but log-level debug would still show them)
This will still generate 1 line of logging telling us that an error report was generated.

[thijskh]

I would only do this in debug mode indeed. Because it's very common for browsers etc to send OPTIONS requests which is spec compliant to do and the server just needs to respond with 405. Generating higher loglevel entries for this common and normal behaviour obscures the actual exceptions.

[tvdijen]

So your OK with the changes I made last night?

[thijskh]

The changes seem to be about the email form? Or am I misunderstanding it. The browsers sending legitimate OPTIONS requests will not be submitting the email form anyway...

[tvdijen]

The email form would still be generated and produce output to the logs.
I've added a boolean to be able to not show the form at all for this type of error (and therefore not produce the log output).

The OPTIONS request would still lead to:
"Error report generated with track-id xxxx"

The end-result now is that these requests do not log anything at all, unless debug-level is set.
A convenient side-effect of the change is that we can disable the email-form for specific kinds of errors.

[monkeyiq]

I see that in Error::show the old direct call to logError() is now moved to log($logLevel) which will dispatch the logBacktrace() call based on the level that is passed and the system settings.

Just a thinking out loud took a closer look comment :)

[tvdijen]

I see that in Error::show the old direct call to logError() is now moved to log($logLevel) which will dispatch the logBacktrace() call based on the level that is passed and the system settings.

Yes, that's the trick to downgrade exceptions. Any exception we want to downgrade to debug-level can be dealt with this way in ExceptionHandler