Comments (8)
Server Actions are public API endpoints
This needs to be explicitly stated in the documentation.
The Server Action Documentation states "You should treat Server Actions as you would public-facing API endpoints, and ensure that the user is authorized to perform the action."
The implication taken from this statement is that authorization on Server Actions is needed for application logic user permission roles. Such that a 'logged-out' user role can't invoke a 'logged-in' user action or a 'non-admin' user role can't invoke an 'admin' user action.
The statement should be "Server Actions are public-facing API endpoints, and you should ensure that the user is authorized to perform the action."
from next.js.
Yes @RhysSullivan thanks that’s very helpful, I’ll take a look!
But also keep in mind that Server Actions are public API endpoints even though they feel like internal function calls. So you’ll still need authentication layer for them.
from next.js.
Hey! There're two issues with this, one is that the unused export wasn't properly tree-shaken where we will try to address.
This can lead to developers accidentally exposing endpoints that they didn't mean to and don't ever consume on the client.
Totally understand the concern but this is not exactly the case here. In the reproduction you copied the header of the request to the previous function (which has a cryptographically hashed id), and then switched to the new function in the code. This is only achievable on development because once you run it on production mode, that previous id won't be exposed anywhere if unused.
We're also adding hash salt rotation to production build, so rebuilds will be protected in this case and all ids will change. I think that will fully address the concern here.
from next.js.
Hey @shuding, do the repro steps I listed make sense for seeing the unused action id in the client side bundle? Let me know if I can provide more info, thanks
from next.js.
This is only achievable on development because once you run it on production mode, that previous id won't be exposed anywhere if unused.
@shuding are you sure the id won't be exposed anywhere if unused in a production build? I'm able to see it in the JS that's sent to the client when doing npm run build && npm run start
repro steps:
- npm run build
- npm run start
- Open dev tools to page-{}.js
- Look in dev tools and see it's included, I've attached a screenshot here with the line highlighted where the id is exposed
from next.js.
@RhysSullivan That id you saw was for the exposed action (the one you are using inside <button onClick={...}>
). The other one's id, which isn't used by the client, won't be seen in the client JS files.
from next.js.
@shuding I deployed the repo to Vercel for further verification https://next-unused-server-actions.vercel.app/
The JS payload is https://next-unused-server-actions.vercel.app/_next/static/chunks/app/page-eab1e6231173d707.js
Inside of that payload, there are 2 action ids listed
6fd2c8e1175bb0510320a3360aea26160ec5e722
- getSignedInUser
which is called from the client
4c92e15aecb3e95ebc647ac038a361814d41cb48
- getAllUsersPrivateDoNotLeak
which is never referenced on the client
Included in this screenshot to hopefully make it clearer, labels are as follows:
1 - Function which isn't meant to be exposed return body
2 - Only place actions are being called on the client, it's just calling getSignedInUser
3 - Action id of getAllUsersPrivateDoNotLeak
4 - Return value of calling that action, validating it's the same value as 1
5 - JS bundle on the client that has the action ids
6 - Action id of getSignedInUser
7 - Action id of getAllUsersPrivateDoNotLeak
from next.js.
Hey @shuding am I able to provide any more information to help debug / repro this?
from next.js.
Related Issues (20)
- Docs: Text content does not match server-rendered HTML HOT 5
- Docs: definition of ServerComponent HOT 4
- RSC request prevent on prefetch false HOT 1
- RSC request prevent on prefetch false HOT 3
- Document not defined, NextJS cant throw traces HOT 1
- Global error not working if triggered in sub-path in version 13.5.5
- Wrong generated favico metada links HOT 1
- notFound() does not replace robots tag HOT 1
- Web workers do not work when runtime is edge HOT 4
- Google Analytics package in @next/third-parties/google doesn't track data if multiple GA4 streams are added HOT 1
- Docs: `pages/optimizePackageImports` points at `compress` instead HOT 3
- Loading.tsx files dont works with nested routes
- Unable to Fetch Data from Backend Server in Next.js SSR Production with Docker HOT 2
- with-next-translate example broken (html, body missing in layout; 404 pages)
- Stale search parameters when using an anchor/fragment in the `as` property of `Link`
- Docs: 在next14.2.5版本中,怎么监听路由的的变化 HOT 1
- Response.redirect with relative URLs not working for Route Handlers HOT 1
- Error: Automatic publicPath is not supported in this browser
- Form error with server action on route change HOT 2
- Gravatar Error On Build HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from next.js.