security: sanitize error messages to prevent info disclosure (#412)

Replace detailed error messages with generic ones to prevent leaking
internal system information to users. Actual errors are logged for
debugging.

- OAuth errors: "Authentication failed" instead of err.Error()
- Session errors: "Session error" instead of err.Error()
- JSON decode errors: "Invalid request body" instead of decode error
- Logout errors: "Logout failed" instead of err.Error()

Note: Validation errors (like "Invalid date format") are kept as they
help users understand what needs to be fixed.

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: cfsmp3

backend/controllers/add_task.go

@@ -27,7 +27,8 @@ func AddTaskHandler(w http.ResponseWriter, r *http.Request) {
 	if r.Method == http.MethodPost {
 		var requestBody models.AddTaskRequestBody
 		if err := json.NewDecoder(r.Body).Decode(&requestBody); err != nil {
-			http.Error(w, fmt.Sprintf("error decoding request body: %v", err), http.StatusBadRequest)
+			utils.Logger.Warnf("Failed to decode add task request: %v", err)
+			http.Error(w, "Invalid request body", http.StatusBadRequest)
 			return
 		}
 		defer r.Body.Close()

backend/controllers/app_handlers.go

@@ -91,21 +91,24 @@ func (a *App) OAuthCallbackHandler(w http.ResponseWriter, r *http.Request) {
 
 	t, err := a.Config.Exchange(context.Background(), code)
 	if err != nil {
-		http.Error(w, err.Error(), http.StatusBadRequest)
+		utils.Logger.Errorf("OAuth token exchange failed: %v", err)
+		http.Error(w, "Authentication failed", http.StatusBadRequest)
 		return
 	}
 
 	client := a.Config.Client(context.Background(), t)
 	resp, err := client.Get("https://www.googleapis.com/oauth2/v2/userinfo")
 	if err != nil {
-		http.Error(w, err.Error(), http.StatusBadRequest)
+		utils.Logger.Errorf("Failed to fetch user info from Google: %v", err)
+		http.Error(w, "Authentication failed", http.StatusBadRequest)
 		return
 	}
 	defer resp.Body.Close()
 
 	var userInfo map[string]interface{}
 	if err := json.NewDecoder(resp.Body).Decode(&userInfo); err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+		utils.Logger.Errorf("Failed to decode user info: %v", err)
+		http.Error(w, "Authentication failed", http.StatusInternalServerError)
 		return
 	}
 
@@ -122,7 +125,8 @@ func (a *App) OAuthCallbackHandler(w http.ResponseWriter, r *http.Request) {
 	userInfo["encryption_secret"] = encryptionSecret
 	session.Values["user"] = userInfo
 	if err := session.Save(r, w); err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+		utils.Logger.Errorf("Failed to save session: %v", err)
+		http.Error(w, "Session error", http.StatusInternalServerError)
 		return
 	}
 
@@ -179,7 +183,8 @@ func (a *App) LogoutHandler(w http.ResponseWriter, r *http.Request) {
 	session, _ := a.SessionStore.Get(r, "session-name")
 	session.Options.MaxAge = -1
 	if err := session.Save(r, w); err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+		utils.Logger.Errorf("Failed to clear session on logout: %v", err)
+		http.Error(w, "Logout failed", http.StatusInternalServerError)
 		return
 	}