Let's talk about Exception and Log #38901
Comments
This is generally true, but sometimes it shows that one of your page contains a broken link (404) or that a server-side validation does not match the way a form or API endpoint is implemented (400). For that reason I think it would be nice to:
Shouldn't this remain part of the domain of your application? What would be the value of having this in Symfony? |
|
A big 👍 on my side. @julienfalque this kind of analytics is better done at the web server level. |
|
@julienfalque I agree with @dunglas here. 404 should be monitored with [nginx|apache|lb|varnsih] logs. Or your can use externals tools like https://redirection.io/ About 400, I usually monitor that from the client POV (JS)
An automatic conversion of NotFound to 404, AccessDenied to 403, etc. Like it's now |
|
what's the proposed namespace/package for NotFoundException & co? i've always created custom exceptions (either super specific, or generic) to be used at the domain level. Then convert them to HTTP context, yes. see also api-platform/core#3294, maybe it's related on high level. |
Agreed, but I would still keep the ability to log them via Symfony in a separate chanel, in case e.g. one cannot access logs of the webserver. |
|
btw, what semantically bugs me is use Symfony\Component\HttpFoundation\Exception\BadRequestException;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;just looking at it, it's confusing already :} |
You cannot generalize this assumption. I've worked in projects where we 100% owned the clients that interacted with the Symfony app (REST-API for an SPA or mobile app). So in that case, a 4XX in most cases means:
In the case that the frontend or backend side of my app has a problem, I'd like to get a log message including the exception(s) with stack trace(s). Logging those exceptions is reasonable here. Logging 4xx via external monitoring only means I'm losing debug information.
If my client tries to access an endpoint that doesn't exist, I'd like to know. If my backend hides a resource that the client thinks it should have access to, I'd like to know.
We probably agree that it should be easier for the app developer to do the right thing. But I don't think that we achieve this simply by swapping defaults. For me, the main problem is that the severity of an exception is highly subjective. It's okay for the framework to have an opinion, but as an app developer I want to be able to override that opinion. Maybe the solution is to create a better way to tell the framework the severity of a given exception.
I agree 100%. Your model layer should not have an opinion on HTTP status codes.
I don't see how throwing an exception that will be converted to a 404 is better than directly throwing a HTTP exception. If your model layer throws a |
|
404 errors matter when you want to know about broken links. However, it is enough to know about this link once. For such a scenario it would be useful to have a hash table, where URL and HTTP code are the key. The stored values would be a counter, how many times the error happened, and first and last time of occurrence. |
|
@jkufner Clustering of log messages is a feature of a good log management system. I don‘t think that the app should take care of this. |
|
This comes down to somewhat opinionated log management. Apart from what to log, an app should also have a solid where to log configuration. I blogged our solution for a scaled at application https://medium.com/@miniyarov/an-opinionated-symfony-monolog-configuration-for-prod-and-dev-environments-b33487fd9ea6 |
|
Thank you for this suggestion. |
|
Yes, I planned to do that soon |
This issue is a bit long, and cover two topics, to please read it all before
commenting.
1️⃣ Do not log anymore 4XX exceptions
With a fresh Symfony (5.1) but it's the same for older version, all exceptions
are logged. It could be are at
errorlevel or atcriticallevel.I created a simple controller:
And when I hit the application, I got the following log (prod env)
For recall, from the monolog
documentation
So there is two things here:
errorlevel, meaning I should monitor this, and ofcourse, fix it.
means my code is good, the request is not. => There is nothing I can do to
fix it
This is mismatch to me.
This is even more obvious with 404's. This is why, in the past we introduced in
monolog the options
excluded_404s.And then we also add
excluded_http_codesbecause, well, almost no one wantlogs for 405, 403, 401, etc.
And there is also
activation_strategyto have full control. This is what I usein my application for ages. And I copy this code from projets to projects. Boring
So my proposable it to not log at
errorlevel HTTP exceptions < 500. We couldmake it opt-in, but IMHO, this is a good default.
2️⃣ HttpException in the "model layer".
When we create controller, we have the power to manage exceptions handling, and
forge the response the use the status code we want.
But when we use third party code, like easy-admin, api-platform, etc, usually we
don't write the controller by ourself. So we can not really convert an exception
to a status code easily.
Api-platform offer us an option to convert exception instance to status code,
but I would like to go a bit further here.
First I'm not very confortable to throw
*HttpExceptionfromsymfony/http-kernel
in my model layer. It does not sens when I use theses service in my commands, or
workers.
I would feel more natural to have "raw" exception, without a binding to the SAPI.
Something like:
NotFoundExceptionForbidenExceptionInvalidInputExceptionSymfony would, of course, convert a
NotFoundExceptionto a 404 when needed.And now, we have a nice new error handlers (with serializer), so we could
easily throw raw exceptions, and have a nice handling. APIP could even remove
it's own handling from its codebase. Like:
And we could also have a map of custom exception to status code (and a way to
enable log or not for such exception, see 1️⃣)
WDYT ?
The text was updated successfully, but these errors were encountered: