Why prisma calls directly in Next is a MISTAKE

As someone who contributed to the project I never imagined such a big security issue. Thank you so much for this I learned something new!

muhammadosama

This is why I always, always, ALWAYS use data mappers to all my endpoints. This allows me to
- dynamically filter field based on some business / authorization rules,
- add additional computed fields, etc.
- rename database colums if / when the needs arises without breaking everything.

You could also define those mappers as zod chemas that disallow extra properties

darialyphia

Rookie mistake many of us made in the past. I once leaked password hash in JWT token. Ok, it was bcrypt hash and not plain password but still...

IvanRandomDude

In Mongoose, you can unselect fields by default so they only get returned if you explicitly request them.

codinginflow

agreed, using a allowlist (select in your query) is more easy to debug than using a blocklist (omit in your query) in most situation, and we have more control about the behavior.

Selient

Another approach to totally forgot to mention in this video is to create a separate CodeRacerUser model which stores all information unrelated to authentication. This would obviously be a much larger refactor, but I think that would be the BEST solution over what I did here.

WebDevCody

Generally, I just separate out sensitive information in the data model into a separate table. Users can only view their own data, but if they have a "profile" this is publically available.

michaelholmes

woah, I didn't know that. I should check the network tab next time. Also, it does make sense since passing props pretty much makes the props accessible to the component we're passing it on. Thank u!

programmers_sanctuary

It always baffles me when I get other dev telling me, "it doesn't matter if i request too much, i'll never know i might need it". The burden on the network and the database is often overlooked and definitely when there is sensitive data you should take extra care !

Goyo_MGC

With 'select' you should always keep it in mind, especially when you query entity and you have to JOIN or populate User entity. For me it's better to use DTO with class-transform and 'serialize' response data. And the best decision will be choose better ORM, where prive field alredy implemented)

alexanderpedenko

Did an email go out to all users saying data was exposed incorrectly?

OmgImAlexis

I think in prisma you can choose attribute you wanna use

buxx

Thank you. Very important topic. You covered the problem and query solution well.

BlackStrifeD

Thank you for pointing this out, Cody. This is really important

danyacoding

React Sever Components: Welcome back to the ages of PHP, table leaks, and SQL injections….. Combining a view (render logic) with a controller (data access) is a bad idea and the reason why the industry advanced to API first designs. At least that was the case… phew

dinoscheidt

Unfortunately in Prisma if you use the include statement it selects all the field from the entity. You have always to keep that in mind.

AndreasStraub

This is honestly why too much abstraction can be a bad thing, you're allowing some library to control what data it retrieves (or at least the default is project everything), and having a default like that is dangerous in my opinion, whereas with some query language, like SQL, you can do "SELECT *" and you explicitly know what you are projecting from the given table.

Not to say it is entirely Prisma's fault either, although that default is just poor, it is also partly a Next thing where it makes it feel like the client and server are just a single application, I think sometimes that divide is important and necessary. What do other people think?

nark

Imo it makes some sense for email to be public to other users, like on mailing lists. But maybe not if you aren't logged in..

sub-harmonik

That’s crazy they didn’t implemented DTOs on their API

peanutcelery

Nice, I always follow this practice to save DB bandwidth.

Hiperultimate