From 586825aafae39d89a6419d40563a8d5fdc4295a0 Mon Sep 17 00:00:00 2001
From: Manuel Raynaud <manu@raynaud.io>
Date: Mon, 25 Aug 2025 17:24:57 +0200
Subject: [PATCH] =?UTF-8?q?=E2=99=BB=EF=B8=8F(back)=20stop=20returning=20a?=
 =?UTF-8?q?=20500=20on=20cors=5Fproxy=20on=20request=20failure?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

On the cors_proxy endpoint, if the fetched url fails we were returning
an error 500. Instead, we log the exception and return a 400 to not
give back information to the frontend application.
---
 src/backend/core/api/viewsets.py               |  8 ++++----
 .../documents/test_api_documents_cors_proxy.py | 18 ++++++++++++++++++
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/src/backend/core/api/viewsets.py b/src/backend/core/api/viewsets.py
index 90267961..a9c8ee24 100644
--- a/src/backend/core/api/viewsets.py
+++ b/src/backend/core/api/viewsets.py
@@ -1481,10 +1481,10 @@ class DocumentViewSet(
             return proxy_response
 
         except requests.RequestException as e:
-            logger.error("Proxy request failed: %s", str(e))
-            return drf_response.Response(
-                {"error": f"Failed to fetch resource: {e!s}"},
-                status=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            logger.exception(e)
+            return drf.response.Response(
+                {"error": f"Failed to fetch resource from {url}"},
+                status=status.HTTP_400_BAD_REQUEST,
             )
 
 
diff --git a/src/backend/core/tests/documents/test_api_documents_cors_proxy.py b/src/backend/core/tests/documents/test_api_documents_cors_proxy.py
index 3356e93c..a4abb981 100644
--- a/src/backend/core/tests/documents/test_api_documents_cors_proxy.py
+++ b/src/backend/core/tests/documents/test_api_documents_cors_proxy.py
@@ -2,6 +2,7 @@
 
 import pytest
 import responses
+from requests.exceptions import RequestException
 from rest_framework.test import APIClient
 
 from core import factories
@@ -170,3 +171,20 @@ def test_api_docs_cors_proxy_invalid_url(url_to_fetch):
     )
     assert response.status_code == 400
     assert response.json() == ["Enter a valid URL."]
+
+
+@responses.activate
+def test_api_docs_cors_proxy_request_failed():
+    """Test the CORS proxy API for documents with a request failed."""
+    document = factories.DocumentFactory(link_reach="public")
+
+    client = APIClient()
+    url_to_fetch = "https://external-url.com/assets/index.html"
+    responses.get(url_to_fetch, body=RequestException("Connection refused"))
+    response = client.get(
+        f"/api/v1.0/documents/{document.id!s}/cors-proxy/?url={url_to_fetch}"
+    )
+    assert response.status_code == 400
+    assert response.json() == {
+        "error": "Failed to fetch resource from https://external-url.com/assets/index.html"
+    }