Request and Response bodies for GraphQL errors #93
Conversation
|
|
||
| - Do we need to send the GraphQL scheme to Sentry in order to do data scrubbing properly? | ||
| - Should this feature be opt-in due to the size of the data and PII risk? | ||
| - Should we send the Request and Response as different envelope items? (avoid the size limit) |
There was a problem hiding this comment.
See option 3 and 4.
|
|
||
| # Unresolved questions | ||
|
|
||
| - Do we need to send the GraphQL scheme to Sentry in order to do data scrubbing properly? |
There was a problem hiding this comment.
It'd require changes on sentry-cli, data scrubbing, etc.
There was a problem hiding this comment.
Probably not, because the PII will be under variables values per spec. and we can use that to match and strip out the PII data.
|
|
||
| SDKs should discard large and binary bodies by default, using the [maxRequestBodySize](https://docs.sentry.io/platforms/android/configuration/options/#max-request-body-size) and `maxResponseBodySize` (it'll be added) options. | ||
|
|
||
| The difference is that for GraphQL errors, this should be enabled by default. |
There was a problem hiding this comment.
If we don't send the payload, the user won't have context about what has to be fixed.
There was a problem hiding this comment.
The other option is to manipulate the request and payload sent, for example, sending only the errors of the response and the body without the variables from the request, which requires serializing/deserializing the request and response of the client, this might add performance overhead as just sending it as it is, but it's an option.
There was a problem hiding this comment.
How will we handle situations where partial data are returned with errors? Will we only send the errors to Sentry or the filtered data too?
There was a problem hiding this comment.
It's still an error, https://www.notion.so/sentry/GraphQL-proposal-d6e5846f30434770903cf3af20bc2568?pvs=4#65c51cb28c1c421e8b3edd4f5fe2f427
I'll check during the implementation if there's a performance impact of serializing the error, extracting the non-required fields, etc.
|
@scefali @malwilley adding you to the loop since this change affects the FE for syntax highlight. |
text/0087-graphql-errors.md
Outdated
|
|
||
| ## Must have | ||
|
|
||
| The fields `Request#data` and `Response#data` could contain PII and they should run data scrubbing agressively. |
There was a problem hiding this comment.
We should consider allowing people to opt out of scrubbing. Often, the actual payload is the information needed to reproduce bugs.
There was a problem hiding this comment.
Data scrubbing rules are already possible in the project config, but not everything, we'd stick with what's in there.
There was a problem hiding this comment.
Which project config? Are you talking about server-side scrubbing?
There was a problem hiding this comment.
Yes, eg https://sentry-sdks.sentry.io/settings/projects/sentry-cocoa/security-and-privacy/
Scrubbing will be server-side, so if there's an option to enable/disable, it should be there.
People can also opt-in for SDK scrubbing using beforeSend.
|
The event will likely need an identification either via |
There was a problem hiding this comment.
I'm a bit confused by this RFC 🤔. The title is Request and Response bodies for GraphQL errors, the summary describes
Add
RequestandResponsebody to events.
and the option 1 is about
adding a
datafield in the [Response]
I'm totally on board with option 1 to solve the problem for GraphQL errors. What I'm unsure about is if we also want to decide in this RFC
- if we should add request and response bodies to events (that's unclear to me)
- how to send GraphQL request and response data (I would assume we don't want to decide that in this PR)
Could you please help me 😄, @marandaneto?
|
|
||
| [Session Replay](https://docs.sentry.io/platforms/javascript/guides/remix/session-replay/configuration/) already sends the request and response bodies, so we can use the same data scrubbing rules. | ||
|
|
||
| Since GraphQL is a well defined spec, we can also scrub the GraphQL fields. |
There was a problem hiding this comment.
What about only sending the fields we are sure about not containing any PII? Then we could turn this feature on by default and no scrubbing would be needed.
There was a problem hiding this comment.
The downside is the performance impact of serializing on the client and duplicating all the data scrubbing logic in every SDK, hence focusing on Relay for PII.
It's also easier to roll out bug fixing on Relay.
It is a valid option though.
There was a problem hiding this comment.
I'll add it as a note.
Edit: it's part of the Unresolved questions already:
Should PII be scrubbed in the SDK instead?
There was a problem hiding this comment.
Doing it on every SDK is a downside, yes, but the logic for only selecting well-known fields shouldn't be that complicated. We could also move it to Relay if it is too complicated.
There was a problem hiding this comment.
During the initial discussion, we opted for Relay to avoid duplication and an easy way of rolling out bug fixes as described in the message above, if it turns out to be super simple, and has no performance impact at all, we can evaluate it in the next iteration.
Unless there's a strong reason otherwise, Relay still should do PII on its own anyway.
Sending the request and response bodies to Sentry isn't optional, this is needed for the user to know what's the issue about, how to fix it, and have syntax highlight as well, so it's either doing this or not implementing this feature.
The goal as of now is to just send it as part of the |
Co-authored-by: Roman Zavarnitsyn <[email protected]>
In the RFC, you wrote
I am confused now, do we want to apply the same data scrubbing rules as for |
|
|
||
| # Proposal (Option 1) | ||
|
|
||
| The proposal is adding a `data` field in the [Response](https://develop.sentry.dev/sdk/event-payloads/types/#responsecontext) interface. |
There was a problem hiding this comment.
Dart seems to use the key body instead of data: https://github.com/getsentry/sentry-dart/blob/7011abe27ac69bd160bdc6ecf3314974b8340b97/dart/lib/src/protocol/sentry_response.dart#L59
I think data is better because it is consistent with Request, but I wanted to point out the inconsistency.
There was a problem hiding this comment.
Good point, I can deprecate body and add data, both will serialize as data anyway.
Co-authored-by: Joris Bayer <[email protected]>
The goal is that if the event isn't a GraphQL error, it should run data scrubbing for |
@marandaneto so you want to parse the graphql and iterate over its keys / values, and apply existing data scrubbing rules to those parsed items? If so, we definitely need a discriminator. I would put it inside the request / response, maybe an optional |
yes, that can be the mechanism as suggested here #93 (comment) |
Describe your RFC briefly so that reviewers can quickly find out what
happens. Also please edit the "Rendered RFC" link so one can quickly
get to the rendered markdown file.
Rendered RFC