**feat(api): Enforce bulk operation limits, secure endpoints, and improve error handling**

JamesKane · JamesKane · commit 03b9a321f6c1 · 2026-03-06T18:37:23.000-06:00
- Added limits (`MaxBulkSize`) to bulk operations (`bulkCreateRegions`, `bulkAddBuilds`, `bulkUpdateRsIds`, `bulkAssignDuNames`) to prevent excessive requests.
- Introduced `ApiSecurityAction` to secure endpoints, including `registerPDS` and `triggerDiscovery`.
- Improved error handling with more descriptive messages and consistent formatting across APIs (e.g., database error messaging).
- Enhanced input validation (e.g., `safePage` in `listFragment`, referer sanitization in `switchLanguage`).
- Updated session cookie security settings in `application.conf` to ensure compliance with secure practices.
diff --git a/app/actions/AuthenticatedAction.scala b/app/actions/AuthenticatedAction.scala
@@ -52,9 +52,14 @@ class RoleAction @Inject()(authService: AuthService)(implicit ec: ExecutionConte
     override protected def executionContext: ExecutionContext = ec
 
     override protected def filter[A](request: AuthenticatedRequest[A]): Future[Option[Result]] = {
-      authService.hasAnyRole(request.user.id.get, requiredRoles).map { hasRole =>
-        if (hasRole) None
-        else Some(Results.Forbidden("You do not have the required permissions to access this resource."))
+      request.user.id match {
+        case Some(userId) =>
+          authService.hasAnyRole(userId, requiredRoles).map { hasRole =>
+            if (hasRole) None
+            else Some(Results.Forbidden("You do not have the required permissions to access this resource."))
+          }
+        case None =>
+          Future.successful(Some(Results.Forbidden("You do not have the required permissions to access this resource.")))
       }
     }
   }
@@ -70,9 +75,14 @@ class PermissionAction @Inject()(authService: AuthService)(implicit ec: Executio
     override protected def executionContext: ExecutionContext = ec
 
     override protected def filter[A](request: AuthenticatedRequest[A]): Future[Option[Result]] = {
-      authService.hasPermission(request.user.id.get, permission).map { hasPermission =>
-        if (hasPermission) None
-        else Some(Results.Forbidden(s"Missing required permission: $permission"))
+      request.user.id match {
+        case Some(userId) =>
+          authService.hasPermission(userId, permission).map { hasPermission =>
+            if (hasPermission) None
+            else Some(Results.Forbidden("You do not have the required permissions to access this resource."))
+          }
+        case None =>
+          Future.successful(Some(Results.Forbidden("You do not have the required permissions to access this resource.")))
       }
     }
   }
diff --git a/app/controllers/ExternalBiosampleController.scala b/app/controllers/ExternalBiosampleController.scala
@@ -112,7 +112,7 @@ class ExternalBiosampleController @Inject()(
       case e: Exception =>
         InternalServerError(Json.obj(
           "error" -> "Internal server error",
-          "message" -> s"An unexpected error occurred while attempting to delete biosample with accession '$accession': ${e.getMessage}"
+          "message" -> s"An unexpected error occurred while attempting to delete biosample with accession '$accession'"
         ))
     }
   }
diff --git a/app/controllers/GenomeRegionsApiManagementController.scala b/app/controllers/GenomeRegionsApiManagementController.scala
@@ -74,11 +74,17 @@ class GenomeRegionsApiManagementController @Inject()(
     }
   }
 
+  private val MaxBulkRegions = 1000
+
   def bulkCreateRegions(): Action[BulkCreateGenomeRegionsRequest] =
     secureApi.jsonAction[BulkCreateGenomeRegionsRequest].async { request =>
-      logger.info(s"API: Bulk creating ${request.body.regions.size} genome regions")
-      managementService.bulkCreateRegions(request.body, None).map { response =>
-        Ok(Json.toJson(response))
+      if (request.body.regions.size > MaxBulkRegions) {
+        Future.successful(BadRequest(Json.obj("error" -> s"Bulk create limited to $MaxBulkRegions regions per request")))
+      } else {
+        logger.info(s"API: Bulk creating ${request.body.regions.size} genome regions")
+        managementService.bulkCreateRegions(request.body, None).map { response =>
+          Ok(Json.toJson(response))
+        }
       }
     }
 }
diff --git a/app/controllers/HaplogroupTreeMergeController.scala b/app/controllers/HaplogroupTreeMergeController.scala
@@ -116,8 +116,7 @@ class HaplogroupTreeMergeController @Inject()(
       }.recover { case e: Exception =>
         logger.error(s"Merge preview failed: ${e.getMessage}", e)
         InternalServerError(Json.obj(
-          "error" -> "Preview operation failed",
-          "details" -> e.getMessage
+          "error" -> "Preview operation failed"
         ))
       }
     }
diff --git a/app/controllers/LanguageController.scala b/app/controllers/LanguageController.scala
@@ -11,12 +11,14 @@ class LanguageController @Inject()(val controllerComponents: ControllerComponent
 
   def switchLanguage(lang: String): Action[AnyContent] = Action { implicit request =>
     val referer = request.headers.get(REFERER).getOrElse("/")
+    // Prevent open redirect: only allow relative paths
+    val safeTarget = if (referer.startsWith("/") && !referer.startsWith("//")) referer else "/"
     val supportedLangs = messagesApi.messages.keys.filter(_ != "default").toSet
 
     if (supportedLangs.contains(lang)) {
-      Redirect(referer).withLang(Lang(lang))
+      Redirect(safeTarget).withLang(Lang(lang))
     } else {
-      Redirect(referer)
+      Redirect(safeTarget)
     }
   }
 }
diff --git a/app/controllers/PDSRegistrationController.scala b/app/controllers/PDSRegistrationController.scala
@@ -1,5 +1,6 @@
 package controllers
 
+import actions.ApiSecurityAction
 import api.PdsRegistrationRequest
 import play.api.libs.json.{JsError, JsSuccess, Json}
 import play.api.mvc.{Action, AnyContent, BaseController, ControllerComponents}
@@ -14,6 +15,7 @@ import scala.concurrent.{ExecutionContext, Future}
 @Singleton
 class PDSRegistrationController @Inject()(
                                            val controllerComponents: ControllerComponents,
+                                           secureApi: ApiSecurityAction,
                                            pdsRegistrationService: PDSRegistrationService,
                                            reputationService: ReputationService,
                                            userRepository: UserRepository
@@ -22,10 +24,11 @@ class PDSRegistrationController @Inject()(
   /**
    * Handles the registration of a new Personal Data Server (PDS).
    * Expects a JSON body containing PdsRegistrationRequest.
+   * Secured with X-API-Key authentication.
    *
    * @return An `Action` that processes the registration request.
    */
-  def registerPDS(): Action[play.api.libs.json.JsValue] = Action.async(parse.json) { implicit request =>
+  def registerPDS(): Action[play.api.libs.json.JsValue] = secureApi.async(parse.json) { implicit request =>
     request.body.validate[PdsRegistrationRequest] match {
       case JsSuccess(pdsRegistrationRequest, _) =>
         pdsRegistrationService.registerPDS(
diff --git a/app/controllers/PublicationCandidateController.scala b/app/controllers/PublicationCandidateController.scala
@@ -84,7 +84,8 @@ class PublicationCandidateController @Inject()(
   def bulkAction(): Action[AnyContent] = CuratorAction.async { implicit request =>
     val reviewerId = request.user.id.get
     val formData = request.body.asFormUrlEncoded.getOrElse(Map.empty)
-    val ids = formData.getOrElse("candidateIds", Seq.empty).flatMap(_.split(",")).flatMap(_.toIntOption).toSeq
+    val MaxBulkSize = 500
+    val ids = formData.getOrElse("candidateIds", Seq.empty).flatMap(_.split(",")).flatMap(_.toIntOption).take(MaxBulkSize).toSeq
     val action = formData.get("bulkAction").flatMap(_.headOption).getOrElse("")
     val reason = formData.get("reason").flatMap(_.headOption)
 
diff --git a/app/controllers/PublicationDiscoveryController.scala b/app/controllers/PublicationDiscoveryController.scala
@@ -1,5 +1,6 @@
 package controllers
 
+import actions.ApiSecurityAction
 import actors.PublicationDiscoveryActor
 import jakarta.inject.{Inject, Named, Singleton}
 import org.apache.pekko.actor.ActorRef
@@ -9,10 +10,11 @@ import play.api.mvc.{Action, AnyContent, BaseController, ControllerComponents}
 @Singleton
 class PublicationDiscoveryController @Inject()(
                                                 val controllerComponents: ControllerComponents,
+                                                secureApi: ApiSecurityAction,
                                                 @Named("publication-discovery-actor") publicationDiscoveryActor: ActorRef
                                               ) extends BaseController with Logging {
 
-  def triggerDiscovery(): Action[AnyContent] = Action {
+  def triggerDiscovery(): Action[AnyContent] = secureApi {
     logger.info("Manually triggering publication discovery via API.")
     publicationDiscoveryActor ! PublicationDiscoveryActor.RunDiscovery
     Ok("Publication discovery run triggered.")
diff --git a/app/controllers/TreeController.scala b/app/controllers/TreeController.scala
@@ -231,7 +231,8 @@ class TreeController @Inject()(val controllerComponents: MessagesControllerCompo
         case _: IllegalArgumentException =>
           Ok(views.html.fragments.error(s"Haplogroup $haplogroupName not found"))
         case e =>
-          Ok(views.html.fragments.error(e.getMessage))
+          logger.error(s"Error loading tree fragment: ${e.getMessage}", e)
+          Ok(views.html.fragments.error("An unexpected error occurred while loading this view."))
       }
   }
 
diff --git a/app/controllers/VariantApiController.scala b/app/controllers/VariantApiController.scala
@@ -28,25 +28,31 @@ class VariantApiController @Inject()(
    * Bulk add reference builds (coordinates) to existing variants.
    * Matches variants by name or rsId, then adds coordinates for the specified reference genome.
    */
+  private val MaxBulkSize = 1000
+
   def bulkAddBuilds(): Action[BulkAddVariantBuildsRequest] =
     secureApi.jsonAction[BulkAddVariantBuildsRequest].async { request =>
-      val requests = request.body.variants
-      logger.info(s"Bulk add builds request for ${requests.size} variants")
+      if (request.body.variants.size > MaxBulkSize) {
+        Future.successful(BadRequest(Json.obj("error" -> s"Bulk operations limited to $MaxBulkSize items per request")))
+      } else {
+        val requests = request.body.variants
+        logger.info(s"Bulk add builds request for ${requests.size} variants")
 
-      val resultFutures = requests.map(processAddBuildRequest)
+        val resultFutures = requests.map(processAddBuildRequest)
 
-      Future.sequence(resultFutures).map { results =>
-        val succeeded = results.count(_.status == "success")
-        val failed = results.count(_.status != "success")
+        Future.sequence(resultFutures).map { results =>
+          val succeeded = results.count(_.status == "success")
+          val failed = results.count(_.status != "success")
 
-        logger.info(s"Bulk add builds completed: $succeeded succeeded, $failed failed")
+          logger.info(s"Bulk add builds completed: $succeeded succeeded, $failed failed")
 
-        Ok(Json.toJson(BulkVariantOperationResponse(
-          total = results.size,
-          succeeded = succeeded,
-          failed = failed,
-          results = results
-        )))
+          Ok(Json.toJson(BulkVariantOperationResponse(
+            total = results.size,
+            succeeded = succeeded,
+            failed = failed,
+            results = results
+          )))
+        }
       }
     }
 
@@ -56,23 +62,27 @@ class VariantApiController @Inject()(
    */
   def bulkUpdateRsIds(): Action[BulkUpdateRsIdsRequest] =
     secureApi.jsonAction[BulkUpdateRsIdsRequest].async { request =>
-      val requests = request.body.variants
-      logger.info(s"Bulk update rsIds request for ${requests.size} variants")
+      if (request.body.variants.size > MaxBulkSize) {
+        Future.successful(BadRequest(Json.obj("error" -> s"Bulk operations limited to $MaxBulkSize items per request")))
+      } else {
+        val requests = request.body.variants
+        logger.info(s"Bulk update rsIds request for ${requests.size} variants")
 
-      val resultFutures = requests.map(processUpdateRsIdRequest)
+        val resultFutures = requests.map(processUpdateRsIdRequest)
 
-      Future.sequence(resultFutures).map { results =>
-        val succeeded = results.count(_.status == "success")
-        val failed = results.count(_.status != "success")
+        Future.sequence(resultFutures).map { results =>
+          val succeeded = results.count(_.status == "success")
+          val failed = results.count(_.status != "success")
 
-        logger.info(s"Bulk update rsIds completed: $succeeded succeeded, $failed failed")
+          logger.info(s"Bulk update rsIds completed: $succeeded succeeded, $failed failed")
 
-        Ok(Json.toJson(BulkVariantOperationResponse(
-          total = results.size,
-          succeeded = succeeded,
-          failed = failed,
-          results = results
-        )))
+          Ok(Json.toJson(BulkVariantOperationResponse(
+            total = results.size,
+            succeeded = succeeded,
+            failed = failed,
+            results = results
+          )))
+        }
       }
     }
 
@@ -138,7 +148,7 @@ class VariantApiController @Inject()(
                   name = req.name,
                   rsId = req.rsId,
                   status = "error",
-                  message = Some(s"Database error: ${e.getMessage}")
+                  message = Some("A database error occurred while processing this request")
                 )
               }
             }
@@ -184,7 +194,7 @@ class VariantApiController @Inject()(
         name = Some(req.name),
         rsId = Some(req.rsId),
         status = "error",
-        message = Some(s"Database error: ${e.getMessage}")
+        message = Some("A database error occurred while processing this request")
       )
     }
   }
@@ -218,7 +228,7 @@ class VariantApiController @Inject()(
             newSource = req.newSource,
             aliasesUpdated = 0,
             status = "error",
-            message = Some(s"Database error: ${e.getMessage}")
+            message = Some("A database error occurred while processing this request")
           )
         }
       }
@@ -305,28 +315,32 @@ class VariantApiController @Inject()(
    */
   def bulkAssignDuNames(): Action[BulkAssignDuNamesRequest] =
     secureApi.jsonAction[BulkAssignDuNamesRequest].async { request =>
-      val variantIds = request.body.variantIds
-      logger.info(s"Bulk assign DU names request for ${variantIds.size} variants")
-
-      // Process sequentially to maintain name ordering
-      variantIds.foldLeft(Future.successful(Seq.empty[DuNameAssignmentResult])) { (accFuture, variantId) =>
-        accFuture.flatMap { acc =>
-          processAssignDuName(variantId).map(result => acc :+ result)
-        }
-      }.map { results =>
-        val succeeded = results.count(_.status == "success")
-        val failed = results.count(_.status == "error")
-        val skipped = results.count(_.status == "skipped")
-
-        logger.info(s"Bulk assign DU names completed: $succeeded succeeded, $failed failed, $skipped skipped")
+      if (request.body.variantIds.size > MaxBulkSize) {
+        Future.successful(BadRequest(Json.obj("error" -> s"Bulk operations limited to $MaxBulkSize items per request")))
+      } else {
+        val variantIds = request.body.variantIds
+        logger.info(s"Bulk assign DU names request for ${variantIds.size} variants")
 
-        Ok(Json.toJson(BulkDuNameAssignmentResponse(
-          total = results.size,
-          succeeded = succeeded,
-          failed = failed,
-          skipped = skipped,
+        // Process sequentially to maintain name ordering
+        variantIds.foldLeft(Future.successful(Seq.empty[DuNameAssignmentResult])) { (accFuture, variantId) =>
+          accFuture.flatMap { acc =>
+            processAssignDuName(variantId).map(result => acc :+ result)
+          }
+        }.map { results =>
+          val succeeded = results.count(_.status == "success")
+          val failed = results.count(_.status == "error")
+          val skipped = results.count(_.status == "skipped")
+
+          logger.info(s"Bulk assign DU names completed: $succeeded succeeded, $failed failed, $skipped skipped")
+
+          Ok(Json.toJson(BulkDuNameAssignmentResponse(
+            total = results.size,
+            succeeded = succeeded,
+            failed = failed,
+            skipped = skipped,
           results = results
         )))
+        }
       }
     }
 
diff --git a/app/controllers/VariantBrowserController.scala b/app/controllers/VariantBrowserController.scala
@@ -42,12 +42,14 @@ class VariantBrowserController @Inject()(
    */
   def listFragment(query: Option[String], page: Int, pageSize: Int): Action[AnyContent] = Action.async {
     implicit request: Request[AnyContent] =>
-      val offset = (page - 1) * pageSize
+      val safePage = Math.max(1, page)
+      val safePageSize = Math.max(1, Math.min(pageSize, 100))
+      val offset = (safePage - 1) * safePageSize
       for {
-        (variants, totalCount) <- getCachedSearchResults(query.getOrElse(""), offset, pageSize)
+        (variants, totalCount) <- getCachedSearchResults(query.getOrElse(""), offset, safePageSize)
       } yield {
-        val totalPages = Math.max(1, (totalCount + pageSize - 1) / pageSize)
-        Ok(views.html.variants.listFragment(variants, query, page, totalPages, pageSize, totalCount))
+        val totalPages = Math.max(1, (totalCount + safePageSize - 1) / safePageSize)
+        Ok(views.html.variants.listFragment(variants, query, safePage, totalPages, safePageSize, totalCount))
       }
   }
 
diff --git a/app/filters/ApiKeyFilter.scala b/app/filters/ApiKeyFilter.scala
@@ -3,6 +3,7 @@ package filters
 import play.api.mvc.*
 import services.CachedSecretsManagerService
 
+import java.security.MessageDigest
 import javax.inject.Inject
 import scala.concurrent.{ExecutionContext, Future}
 
@@ -37,7 +38,7 @@ class ApiKeyFilter @Inject()(
         Some(Results.Unauthorized("API key missing"))
       case Some(providedKey) =>
         secretsManager.getCachedApiKey match {
-          case Some(storedKey) if providedKey == storedKey =>
+          case Some(storedKey) if MessageDigest.isEqual(providedKey.getBytes("UTF-8"), storedKey.getBytes("UTF-8")) =>
             None // Allow the request to proceed
           case _ =>
             Some(Results.Unauthorized("Invalid API key"))
diff --git a/app/views/publicationList.scala.html b/app/views/publicationList.scala.html
@@ -4,7 +4,7 @@
     <div class="alert alert-info" role="alert">
     @searchQuery match {
         case Some(q) => {
-            @messages("publication.list.notFound", Html(s"<strong>$q</strong>"))
+            @messages("publication.list.notFound", q)
         }
         case None => {
             @messages("publication.list.empty")
diff --git a/conf/application.conf b/conf/application.conf
@@ -7,8 +7,11 @@ play.i18n {
   langs = [ "en", "fr", "es" ]
 }
 
-# No need to create cookies in a read-only application.  Remove when appropriate
-play.http.session.disabled=true
+# Session cookie security
+play.http.session.httpOnly = true
+play.http.session.secure = true
+play.http.session.secure = ${?SESSION_SECURE}
+play.http.session.sameSite = "lax"
 
 # Increase max request body size for tree merge API (default is 100KB)
 play.http.parser.maxMemoryBuffer = 10MB
diff --git a/conf/routes b/conf/routes

Original file line number	Diff line number	Diff line change
`@@ -52,9 +52,14 @@ class RoleAction @Inject()(authService: AuthService)(implicit ec: ExecutionConte`
`52`	`52`	`override protected def executionContext: ExecutionContext = ec`
`53`	`53`
`54`	`54`	`override protected def filter[A](request: AuthenticatedRequest[A]): Future[Option[Result]] = {`
`55`		`- authService.hasAnyRole(request.user.id.get, requiredRoles).map { hasRole =>`
`56`		`- if (hasRole) None`
`57`		`- else Some(Results.Forbidden("You do not have the required permissions to access this resource."))`
	`55`	`+ request.user.id match {`
	`56`	`+ case Some(userId) =>`
	`57`	`+ authService.hasAnyRole(userId, requiredRoles).map { hasRole =>`
	`58`	`+ if (hasRole) None`
	`59`	`+ else Some(Results.Forbidden("You do not have the required permissions to access this resource."))`
	`60`	`+ }`
	`61`	`+ case None =>`
	`62`	`+ Future.successful(Some(Results.Forbidden("You do not have the required permissions to access this resource.")))`
`58`	`63`	`}`
`59`	`64`	`}`
`60`	`65`	`}`
`@@ -70,9 +75,14 @@ class PermissionAction @Inject()(authService: AuthService)(implicit ec: Executio`
`70`	`75`	`override protected def executionContext: ExecutionContext = ec`
`71`	`76`
`72`	`77`	`override protected def filter[A](request: AuthenticatedRequest[A]): Future[Option[Result]] = {`
`73`		`- authService.hasPermission(request.user.id.get, permission).map { hasPermission =>`
`74`		`- if (hasPermission) None`
`75`		`- else Some(Results.Forbidden(s"Missing required permission: $permission"))`
	`78`	`+ request.user.id match {`
	`79`	`+ case Some(userId) =>`
	`80`	`+ authService.hasPermission(userId, permission).map { hasPermission =>`
	`81`	`+ if (hasPermission) None`
	`82`	`+ else Some(Results.Forbidden("You do not have the required permissions to access this resource."))`
	`83`	`+ }`
	`84`	`+ case None =>`
	`85`	`+ Future.successful(Some(Results.Forbidden("You do not have the required permissions to access this resource.")))`
`76`	`86`	`}`
`77`	`87`	`}`
`78`	`88`	`}`
Original file line number	Diff line number	Diff line change
`@@ -112,7 +112,7 @@ class ExternalBiosampleController @Inject()(`
`112`	`112`	`case e: Exception =>`
`113`	`113`	`InternalServerError(Json.obj(`
`114`	`114`	`"error" -> "Internal server error",`
`115`		`- "message" -> s"An unexpected error occurred while attempting to delete biosample with accession '$accession': ${e.getMessage}"`
	`115`	`+ "message" -> s"An unexpected error occurred while attempting to delete biosample with accession '$accession'"`
`116`	`116`	`))`
`117`	`117`	`}`
`118`	`118`	`}`
Original file line number	Diff line number	Diff line change
`@@ -74,11 +74,17 @@ class GenomeRegionsApiManagementController @Inject()(`
`74`	`74`	`}`
`75`	`75`	`}`
`76`	`76`
	`77`	`+ private val MaxBulkRegions = 1000`
	`78`	`+`
`77`	`79`	`def bulkCreateRegions(): Action[BulkCreateGenomeRegionsRequest] =`
`78`	`80`	`secureApi.jsonAction[BulkCreateGenomeRegionsRequest].async { request =>`
`79`		`- logger.info(s"API: Bulk creating ${request.body.regions.size} genome regions")`
`80`		`- managementService.bulkCreateRegions(request.body, None).map { response =>`
`81`		`- Ok(Json.toJson(response))`
	`81`	`+ if (request.body.regions.size > MaxBulkRegions) {`
	`82`	`+ Future.successful(BadRequest(Json.obj("error" -> s"Bulk create limited to $MaxBulkRegions regions per request")))`
	`83`	`+ } else {`
	`84`	`+ logger.info(s"API: Bulk creating ${request.body.regions.size} genome regions")`
	`85`	`+ managementService.bulkCreateRegions(request.body, None).map { response =>`
	`86`	`+ Ok(Json.toJson(response))`
	`87`	`+ }`
`82`	`88`	`}`
`83`	`89`	`}`
`84`	`90`	`}`
Original file line number	Diff line number	Diff line change
`@@ -116,8 +116,7 @@ class HaplogroupTreeMergeController @Inject()(`
`116`	`116`	`}.recover { case e: Exception =>`
`117`	`117`	`logger.error(s"Merge preview failed: ${e.getMessage}", e)`
`118`	`118`	`InternalServerError(Json.obj(`
`119`		`- "error" -> "Preview operation failed",`
`120`		`- "details" -> e.getMessage`
	`119`	`+ "error" -> "Preview operation failed"`
`121`	`120`	`))`
`122`	`121`	`}`
`123`	`122`	`}`
Original file line number	Diff line number	Diff line change
`@@ -11,12 +11,14 @@ class LanguageController @Inject()(val controllerComponents: ControllerComponent`
`11`	`11`
`12`	`12`	`def switchLanguage(lang: String): Action[AnyContent] = Action { implicit request =>`
`13`	`13`	`val referer = request.headers.get(REFERER).getOrElse("/")`
	`14`	`+ // Prevent open redirect: only allow relative paths`
	`15`	`+ val safeTarget = if (referer.startsWith("/") && !referer.startsWith("//")) referer else "/"`
`14`	`16`	`val supportedLangs = messagesApi.messages.keys.filter(_ != "default").toSet`
`15`	`17`
`16`	`18`	`if (supportedLangs.contains(lang)) {`
`17`		`- Redirect(referer).withLang(Lang(lang))`
	`19`	`+ Redirect(safeTarget).withLang(Lang(lang))`
`18`	`20`	`} else {`
`19`		`- Redirect(referer)`
	`21`	`+ Redirect(safeTarget)`
`20`	`22`	`}`
`21`	`23`	`}`
`22`	`24`	`}`
Original file line number	Diff line number	Diff line change
`@@ -231,7 +231,8 @@ class TreeController @Inject()(val controllerComponents: MessagesControllerCompo`
`231`	`231`	`case _: IllegalArgumentException =>`
`232`	`232`	`Ok(views.html.fragments.error(s"Haplogroup $haplogroupName not found"))`
`233`	`233`	`case e =>`
`234`		`- Ok(views.html.fragments.error(e.getMessage))`
	`234`	`+ logger.error(s"Error loading tree fragment: ${e.getMessage}", e)`
	`235`	`+ Ok(views.html.fragments.error("An unexpected error occurred while loading this view."))`
`235`	`236`	`}`
`236`	`237`	`}`
`237`	`238`