Error Sanitization for User-Facing Services

Context

We observed verbose error chains leaking internal details (e.g., Aerospike, underlying storage errors, and deep wrapped chains) into user-facing surfaces (propagation, asset server, p2p). This is useful for debugging but not appropriate for external clients.

Goal

Return succinct, safe error messages to users while preserving full error detail in logs and internal chains.

Summary of Changes

1. Centralized sanitization helpers

   • Added helpers in errors to generate concise, public-safe messages and sanitized errors for gRPC/HTTP.

2. Propagation service sanitization

   • HTTP endpoints now return short messages (no wrapped chain or data).
   • gRPC errors are wrapped with sanitized status (code + message only).
   • Batch responses return sanitized TError per item.

3. Asset server sanitization

   • HTTP error responses now use sanitized messages.

4. P2P API sanitization

   • User-facing gRPC endpoints return sanitized errors instead of raw internal chains.

Detailed Changes

New error helpers (errors/errors.go)

• UserMessage(err)
  Returns a concise message like TX_INVALID (31): tx invalid (no wrapped chain, no data).
• PublicError(err)
  Creates a sanitized *errors.Error with only code + message.
• WrapGRPCPublic(err)
  Produces a gRPC status with only the sanitized code/message.
• WrapPublic(err)
  Converts to sanitized *errors.TError (used in batch responses).

Propagation (services/propagation/Server.go)

• /tx and /txs HTTP error responses now use errors.UserMessage(err)
  (removes internal storage/db details and long chains).
• gRPC ProcessTransaction returns WrapGRPCPublic(err) to keep responses minimal.
• Batch ProcessTransactionBatch uses WrapPublic(err) per item to strip details.

Asset server (services/asset/httpimpl/sendError.go)

• JSON error response now uses errors.UserMessage(err) instead of err.Error().

P2P (services/p2p/Server.go)

• Sanitized errors for user-facing endpoints:
  • GetPeers when P2P client not initialized
  • BanPeer, UnbanPeer errors
  • RecordBytesDownloaded decode errors

Example Before/After

Before (too verbose):

PROCESSING (4): [Validate][txid] error spending utxos -> PROCESSING (4): validator: UTXO Store spend failed ... -> TX_INVALID (31): error in aerospike spend ... -> 70: UTXO_SPENT (70): ... "utxo ... already spent by ..."

After (sanitized):

TX_INVALID (31): tx invalid

or

UTXO_SPENT (70): utxo already spent

Files Touched

• errors/errors.go
• services/propagation/Server.go
• services/asset/httpimpl/sendError.go
• services/p2p/Server.go

Risks / Considerations

• Less detail for external users; internal logs still preserve full chains.
• gRPC clients now receive sanitized errors, so any client-side logic depending on deep error chains should be reviewed.

Follow-ups (Optional)

• Extend sanitization to other external surfaces (RPC/validator/legacy APIs).
• Add a config flag to toggle verbose vs public errors for debug environments.
• Add tests verifying sanitized responses.

Note

There is an additional change in services/propagation/Server.go to ignore ErrBlobAlreadyExists when storing transactions. This appears separate from sanitization and is not part of the error-sanitization scope.