fix: respect exposed error messages

README.md

@@ -39,7 +39,8 @@ When an error is written, the following information is added to the response:
     this value is outside the 4xx or 5xx range, it will be set to 500.
   * The `res.statusMessage` is set according to the status code.
   * The body will be the HTML of the status code message if `env` is
-    `'production'`, otherwise will be `err.stack`.
+    `'production'`, unless `err.expose` is true and `err.message` is set.
+    In other environments, the body will be `err.stack`.
   * Any headers specified in an `err.headers` object.
 
 The final handler will also unpipe anything from `req` when it is invoked.
@@ -147,4 +148,4 @@ function logerror (err) {
 [github-actions-ci-image]: https://github.com/pillarjs/finalhandler/actions/workflows/ci.yml/badge.svg
 [github-actions-ci-url]: https://github.com/pillarjs/finalhandler/actions/workflows/ci.yml
 [ossf-scorecard-badge]: https://api.scorecard.dev/projects/github.com/pillarjs/finalhandler/badge
-[ossf-scorecard-visualizer]: https://ossf.github.io/scorecard-visualizer/#/projects/github.com/pillarjs/finalhandler
+[ossf-scorecard-visualizer]: https://ossf.github.io/scorecard-visualizer/#/projects/github.com/pillarjs/finalhandler

index.js

@@ -165,6 +165,9 @@ function getErrorMessage (err, status, env) {
     if (!msg && typeof err.toString === 'function') {
       msg = err.toString()
     }
+  } else if (err.expose && typeof err.message === 'string') {
+    // use exposed error messages in production
+    msg = err.message
   }
 
   return msg || statuses.message[status]

test/test.js

@@ -351,6 +351,34 @@ var topDescribe = function (type, createServer) {
         .expect(501, /<pre>Not Implemented<\/pre>/, done)
     })
 
+    it('should send exposed error message when production', function (done) {
+      var err = createError('missing id', {
+        expose: true,
+        status: 400
+      })
+      wrapper(request(createServer(err, {
+        env: 'production'
+      }))
+        .get('/foo'))
+        .expect(400, /<pre>missing id<\/pre>/, done)
+    })
+
+    it('should hide unexposed error message when production', function (done) {
+      var err = createError('secret failure', {
+        expose: false,
+        status: 400
+      })
+      wrapper(request(createServer(err, {
+        env: 'production'
+      }))
+        .get('/foo'))
+        .expect(400, /<pre>Bad Request<\/pre>/)
+        .expect(function (res) {
+          assert.strictEqual(res.text.indexOf('secret failure'), -1)
+        })
+        .end(done)
+    })
+
     describe('when there is a request body', function () {
       it('should not hang/error when unread', function (done) {
         var buf = Buffer.alloc(1024 * 16, '.')