triggerdotdev · ericallam · May 19, 2026 · May 18, 2026 · May 18, 2026 · May 18, 2026
diff --git a/.server-changes/sanitize-loader-action-leaks.md b/.server-changes/sanitize-loader-action-leaks.md
@@ -0,0 +1,6 @@
+---
+area: webapp
+type: fix
+---
+
+Expand API error response sanitization to additional loaders and actions so internal exception messages (Prisma errors, etc.) no longer leak to callers via 5xx response bodies.
diff --git a/apps/webapp/app/routes/api.v1.artifacts.ts b/apps/webapp/app/routes/api.v1.artifacts.ts
@@ -13,79 +13,85 @@ export async function action({ request }: ActionFunctionArgs) {
     return json({ error: "Method Not Allowed" }, { status: 405 });
   }
 
-  const authenticationResult = await authenticateRequest(request, {
-    apiKey: true,
-    organizationAccessToken: false,
-    personalAccessToken: false,
-  });
+  try {
+    const authenticationResult = await authenticateRequest(request, {
+      apiKey: true,
+      organizationAccessToken: false,
+      personalAccessToken: false,
+    });
 
-  if (!authenticationResult || !authenticationResult.result.ok) {
-    logger.info("Invalid or missing api key", { url: request.url });
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
+    if (!authenticationResult || !authenticationResult.result.ok) {
+      logger.info("Invalid or missing api key", { url: request.url });
+      return json({ error: "Invalid or Missing API key" }, { status: 401 });
+    }
 
-  const [, rawBody] = await tryCatch(request.json());
-  const body = CreateArtifactRequestBody.safeParse(rawBody ?? {});
+    const [, rawBody] = await tryCatch(request.json());
+    const body = CreateArtifactRequestBody.safeParse(rawBody ?? {});
 
-  if (!body.success) {
-    return json({ error: "Invalid request body", issues: body.error.issues }, { status: 400 });
-  }
+    if (!body.success) {
+      return json({ error: "Invalid request body", issues: body.error.issues }, { status: 400 });
+    }
 
-  const { environment: authenticatedEnv } = authenticationResult.result;
+    const { environment: authenticatedEnv } = authenticationResult.result;
 
-  const service = new ArtifactsService();
-  return await service
-    .createArtifact(body.data.type, authenticatedEnv, body.data.contentLength)
-    .match(
-      (result) => {
-        return json(
-          {
-            artifactKey: result.artifactKey,
-            uploadUrl: result.uploadUrl,
-            uploadFields: result.uploadFields,
-            expiresAt: result.expiresAt.toISOString(),
-          } satisfies CreateArtifactResponseBody,
-          { status: 201 }
-        );
-      },
-      (error) => {
-        switch (error.type) {
-          case "artifact_size_exceeds_limit": {
-            logger.warn("Artifact size exceeds limit", { error });
-            const sizeMB = parseFloat((error.contentLength / (1024 * 1024)).toFixed(1));
-            const limitMB = parseFloat((error.sizeLimit / (1024 * 1024)).toFixed(1));
+    const service = new ArtifactsService();
+    return await service
+      .createArtifact(body.data.type, authenticatedEnv, body.data.contentLength)
+      .match(
+        (result) => {
+          return json(
+            {
+              artifactKey: result.artifactKey,
+              uploadUrl: result.uploadUrl,
+              uploadFields: result.uploadFields,
+              expiresAt: result.expiresAt.toISOString(),
+            } satisfies CreateArtifactResponseBody,
+            { status: 201 }
+          );
+        },
+        (error) => {
+          switch (error.type) {
+            case "artifact_size_exceeds_limit": {
+              logger.warn("Artifact size exceeds limit", { error });
+              const sizeMB = parseFloat((error.contentLength / (1024 * 1024)).toFixed(1));
+              const limitMB = parseFloat((error.sizeLimit / (1024 * 1024)).toFixed(1));
 
-            let errorMessage;
+              let errorMessage;
 
-            switch (body.data.type) {
-              case "deployment_context":
-                errorMessage = `Artifact size (${sizeMB} MB) exceeds the allowed limit of ${limitMB} MB. Make sure you are in the correct directory of your Trigger.dev project. Reach out to us if you are seeing this error consistently.`;
-                break;
-              default:
-                body.data.type satisfies never;
-                errorMessage = `Artifact size (${sizeMB} MB) exceeds the allowed limit of ${limitMB} MB`;
+              switch (body.data.type) {
+                case "deployment_context":
+                  errorMessage = `Artifact size (${sizeMB} MB) exceeds the allowed limit of ${limitMB} MB. Make sure you are in the correct directory of your Trigger.dev project. Reach out to us if you are seeing this error consistently.`;
+                  break;
+                default:
+                  body.data.type satisfies never;
+                  errorMessage = `Artifact size (${sizeMB} MB) exceeds the allowed limit of ${limitMB} MB`;
+              }
+              return json(
+                {
+                  error: errorMessage,
+                },
+                { status: 400 }
+              );
+            }
+            case "failed_to_create_presigned_post": {
+              logger.error("Failed to create presigned POST", { error });
+              return json({ error: "Failed to generate artifact upload URL" }, { status: 500 });
+            }
+            case "artifacts_bucket_not_configured": {
+              logger.error("Artifacts bucket not configured", { error });
+              return json({ error: "Internal server error" }, { status: 500 });
+            }
+            default: {
+              error satisfies never;
+              logger.error("Failed creating artifact", { error });
+              return json({ error: "Internal server error" }, { status: 500 });
             }
-            return json(
-              {
-                error: errorMessage,
-              },
-              { status: 400 }
-            );
-          }
-          case "failed_to_create_presigned_post": {
-            logger.error("Failed to create presigned POST", { error });
-            return json({ error: "Failed to generate artifact upload URL" }, { status: 500 });
-          }
-          case "artifacts_bucket_not_configured": {
-            logger.error("Artifacts bucket not configured", { error });
-            return json({ error: "Internal server error" }, { status: 500 });
-          }
-          default: {
-            error satisfies never;
-            logger.error("Failed creating artifact", { error });
-            return json({ error: "Internal server error" }, { status: 500 });
           }
         }
-      }
-    );
+      );
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to create artifact", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
+  }
 }
diff --git a/apps/webapp/app/routes/api.v1.auth.jwt.claims.ts b/apps/webapp/app/routes/api.v1.auth.jwt.claims.ts
@@ -1,19 +1,26 @@
 import type { LoaderFunctionArgs } from "@remix-run/server-runtime";
 import { json } from "@remix-run/server-runtime";
 import { authenticateApiRequest } from "~/services/apiAuth.server";
+import { logger } from "~/services/logger.server";
 
 export async function action({ request }: LoaderFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequest(request);
+  try {
+    // Next authenticate the request
+    const authenticationResult = await authenticateApiRequest(request);
 
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
+    if (!authenticationResult) {
+      return json({ error: "Invalid or Missing API key" }, { status: 401 });
+    }
 
-  const claims = {
-    sub: authenticationResult.environment.id,
-    pub: true,
-  };
+    const claims = {
+      sub: authenticationResult.environment.id,
+      pub: true,
+    };
 
-  return json(claims);
+    return json(claims);
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to read auth jwt claims", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
+  }
 }
diff --git a/apps/webapp/app/routes/api.v1.auth.jwt.ts b/apps/webapp/app/routes/api.v1.auth.jwt.ts
@@ -1,6 +1,7 @@
 import type { LoaderFunctionArgs } from "@remix-run/server-runtime";
 import { json } from "@remix-run/server-runtime";
 import { authenticateApiRequest } from "~/services/apiAuth.server";
+import { logger } from "~/services/logger.server";
 import { z } from "zod";
 import { generateJWT as internal_generateJWT } from "@trigger.dev/core/v3";
 
@@ -14,36 +15,42 @@ const RequestBodySchema = z.object({
 });
 
 export async function action({ request }: LoaderFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequest(request);
-
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
+  try {
+    // Next authenticate the request
+    const authenticationResult = await authenticateApiRequest(request);
+
+    if (!authenticationResult) {
+      return json({ error: "Invalid or Missing API key" }, { status: 401 });
+    }
+
+    const parsedBody = RequestBodySchema.safeParse(await request.json());
+
+    if (!parsedBody.success) {
+      return json(
+        { error: "Invalid request body", issues: parsedBody.error.issues },
+        { status: 400 }
+      );
+    }
+
+    const claims = {
+      sub: authenticationResult.environment.id,
+      pub: true,
+      ...parsedBody.data.claims,
+    };
+
+    // Sign with the environment's current canonical key, not the raw header key,
+    // so JWTs minted with a revoked (grace-window) key still validate — validation
+    // in jwtAuth.server.ts uses environment.apiKey.
+    const jwt = await internal_generateJWT({
+      secretKey: authenticationResult.environment.apiKey,
+      payload: claims,
+      expirationTime: parsedBody.data.expirationTime ?? "1h",
+    });
+
+    return json({ token: jwt });
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to mint auth jwt", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
   }
-
-  const parsedBody = RequestBodySchema.safeParse(await request.json());
-
-  if (!parsedBody.success) {
-    return json(
-      { error: "Invalid request body", issues: parsedBody.error.issues },
-      { status: 400 }
-    );
-  }
-
-  const claims = {
-    sub: authenticationResult.environment.id,
-    pub: true,
-    ...parsedBody.data.claims,
-  };
-
-  // Sign with the environment's current canonical key, not the raw header key,
-  // so JWTs minted with a revoked (grace-window) key still validate — validation
-  // in jwtAuth.server.ts uses environment.apiKey.
-  const jwt = await internal_generateJWT({
-    secretKey: authenticationResult.environment.apiKey,
-    payload: claims,
-    expirationTime: parsedBody.data.expirationTime ?? "1h",
-  });
-
-  return json({ token: jwt });
 }
diff --git a/apps/webapp/app/routes/api.v1.authorization-code.ts b/apps/webapp/app/routes/api.v1.authorization-code.ts
@@ -32,7 +32,7 @@ export async function action({ request }: ActionFunctionArgs) {
         error: error.message,
       });
 
-      return json({ error: error.message }, { status: 400 });
+      return json({ error: "Failed to create authorization code" }, { status: 400 });
     }
 
     return json({ error: "Something went wrong" }, { status: 500 });

diff --git a/apps/webapp/app/routes/api.v1.batches.$batchParam.results.ts b/apps/webapp/app/routes/api.v1.batches.$batchParam.results.ts
@@ -12,32 +12,38 @@ const ParamsSchema = z.object({
 });
 
 export async function loader({ request, params }: LoaderFunctionArgs) {
-  // Authenticate the request
-  const authenticationResult = await authenticateApiRequest(request);
+  try {
+    // Authenticate the request
+    const authenticationResult = await authenticateApiRequest(request);
 
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API Key" }, { status: 401 });
-  }
+    if (!authenticationResult) {
+      return json({ error: "Invalid or Missing API Key" }, { status: 401 });
+    }
 
-  const parsed = ParamsSchema.safeParse(params);
+    const parsed = ParamsSchema.safeParse(params);
 
-  if (!parsed.success) {
-    return json({ error: "Invalid or missing run ID" }, { status: 400 });
-  }
+    if (!parsed.success) {
+      return json({ error: "Invalid or missing run ID" }, { status: 400 });
+    }
 
-  const { batchParam } = parsed.data;
+    const { batchParam } = parsed.data;
 
-  try {
-    const presenter = new ApiBatchResultsPresenter();
-    const result = await presenter.call(batchParam, authenticationResult.environment);
+    try {
+      const presenter = new ApiBatchResultsPresenter();
+      const result = await presenter.call(batchParam, authenticationResult.environment);
 
-    if (!result) {
-      return json({ error: "Batch not found" }, { status: 404 });
-    }
+      if (!result) {
+        return json({ error: "Batch not found" }, { status: 404 });
+      }
 
-    return json(result);
+      return json(result);
+    } catch (error) {
+      logger.error("Failed to load batch results", { error });
+      return json({ error: "Something went wrong, please try again." }, { status: 500 });
+    }
   } catch (error) {
-    logger.error("Failed to load batch results", { error });
-    return json({ error: "Something went wrong, please try again." }, { status: 500 });
+    if (error instanceof Response) throw error;
+    logger.error("Failed to load batch results (outer)", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
   }
 }