Help hiding sensitive information in validation responses

[Rory-Powell]

Hi there, I'm looking for some advice for removing sensitive inputs from validation error messages for PII reasons.

For example the following response:

Variable "$input" got invalid value 0 at "input[0]"; String cannot represent a non string value: 0

Is returned from here:

graphql-js/src/execution/values.ts

Lines 125 to 129 in 8c749e9

	let prefix =
	`Variable "$${varName}" got invalid value ` + inspect(invalidValue);
	if (path.length > 0) {
	prefix += ` at "${varName}${printPathArray(path)}"`;
	}

If possible I'd like to avoid this behaviour for certain fields in my schema which are sensitive.

So far I have attempted to define my own scalars, SensitiveString, SensitivePhoneNumber etc, throwing a custom error, and in my formatError error handler (using apollo server) manually parsing and removing the sensitive input values. This is important so that Personally Identifiable Information isn't logged or captured by tracing tools.

This worked for logging, however tracing tools (datadogs dd-trace in particular) hooks into the execute error response prior to my error handler being activated, meaning that the sensitive information is still captured in traces.

One important thing to note is that this isn't an issue when values are embedded into queries, as a different validation mechanism is used:

graphql-js/src/validation/rules/ValuesOfCorrectTypeRule.ts

Lines 169 to 177 in 8cfa3de

	if (error instanceof GraphQLError) {
	context.reportError(error);
	} else {
	context.reportError(
	new GraphQLError(
	`Expected value of type "${typeStr}", found ${print(node)}; ` +
	error.message,
	{ nodes: node, originalError: error },
	),

Here I can simply make sure I throw an instance of GraphQLError from my custom scalar and custom error message will be respected and not wrapped.

Is there a way to make sure the input values wrapping doesn't take place when variables aren't embedded in the query and the coerceVariableValues is used?