Next's Server Actions Might Not Be That Safe...

Показать описание

Рекомендации по теме

Комментарии

This is another reason why a strong split between front and backend code is useful

bertrodgers

I’ve always placed this in mind. When a new solution is introduced to solve problem(s), somehow, it introduces a new problem or vulnerability while stopping one. That’s nature for me 😅

coderoyalty

Keep ‘em coming Cody! You’re doing so well! I’m very proud of you 😘

SeibertSwirl

I'm glad someone finally took the time to actually run the tweeted code to understand it, besides only stating "I don't fully understand what's going on here..."! Thank you. I believe the risk is not really on using alpha features. I believe that the bigger risk is using sample code from someone else without putting the effort to actually understand it. Good job!

lpanebr

I'm really not a fan of this direction in the first place. Next is trying so hard to blur the lines of the client and server paradigms that they are obfuscating the actual inner workings of the framework. This is going to make security vulnerabilities easier to create by accident and harder to spot :(

alexnahas

The actions are currently in Alpha so their security will be improved in the future.
Currently, using it in production is not only shooting yourself in the foot, but blowing the entire leg off.
And I do think that separating the actions in a different file is better anyway. Helps with security + separation of concerns.

Dev-Siri

All the seniors will have fun reviewing code from juniors with this features.

Clangsoul

With more power, comes more responsibility

josemonge

Appreciate you making a vid explaining this cuz I also didn't know what people were talking about in twitter

hideinbush

it's really simple: every server action call is a separate http request that doesn't have access to any state of the server (assuming you are running serverless/edge, and it probably treats it independently even if you have a dedicated machine). Anything involved in a closure is treated like an argument. imo, it's better to explicitly pass them as arguments instead of hiding it behind a closure.

samuelgunter

Nice video, will include it in tomorrow's newsletter 👌

thisweekinreact

If you are building a long-term project, PLEASE go with an Express RESTful API + React SPA (Vite swc) + Zustand + React-Query. This stack is tried and true and will not screw you over. Don't chase the fancy new thing. Go for stability and reliability!

Euquila

I don't get it. Why would anyone place it within the component/closure not in the server function? Is there a use case for doing this?

Cyber_Lanka

This is basically the equivalent of doing const secret = fetch(/my/secret) in your react and that result gets bundled with the frontend. Closures are important in js for this and many other reasons.

madmarchy

when you define your screts inside the function
they don't appear inside the payload
if that means they are not sent to the client
why wouldn't you define the secrets inside server actions ?

kuroisan

Just a note. Those aren’t the stable server components. They are server actions running inside client components and it’s in alpha still. If that becomes stable it would be cool.

thedigitalceo

Imo all of these alpha and beta features seriously need to be removed from the main release package and instead be added to packages named ”13.4.0-beta-{major}.{minor}" or something so that people aren't using these features in production unless the package version explicitly states that it's the beta/alpha version. Having these in the main package seems really weird to me.

ShaggyKris

1:30 curios how you toggle between screens here without showing the app switcher. Are you doing that with a specific program or utility or is that being done some how with OBS?

KevinOld

This is a foot gun, but its not at all surprising or counterintuitive. If you remove the server action it's so obvious you are pulling a secret into a component! Why would you expect that secret to ever be excluded from client code if you did this? I guess the point is that you wouldn't do it on purpose, but it would be a careless mistake.

barefootfunk

Am I the only one who thinks that we don't need 'server actions'?

Like seriously, what's wrong good ole JSON?
I get that you can't really upload files with JSON, but with Next those files aren't persisted anyways... Plus, we figured this out with the whole pre-signed URLs thing.

SeanCassiere

Next's Server Actions Might Not Be That Safe...

Next.js 14 - Server Actions TUTORIAL | Type Safety, Error Handling, Pending States

DON'T Make This Mistake with Next.js Server Components (BAD performance!)

Using Forms in Next.js (Server Actions, Revalidating Data)

useActionState - React's Latest Critical Hook (Next.js + Server Actions)

Nextjs Server Actions Just Got Better

The problem with server actions

Next 14 + React Query COMBO with Server Actions and RSC

Next.js Server Actions (revalidatePath, useFormStatus & useOptimistic)

The 3 REAL benefits of Next.js Server Actions

NextJS 14 Server Action Controversy!

I Fixed Next.js Server Actions

React + Servers = Confusion

Server Actions in Next.js (useFormStatus, useFormState, Error Handling)

Server Actions: NextJS 13.4's Best New Feature

How to Build and Deploy a Portfolio with Next.js that Will Land You Jobs

Learn Next.js 14 Server Actions With This One Project (UseFormStatus, UseFormState, Error Handling)

CLEANEST Way to write Next.js Server Actions ✨

⚛️ React server components, explained!

Next.js with a separate server - good idea?

How to Build a Multi-Page Form in Next js (Server Actions, Zod, and Local Storage)

Your first full-stack Next.js project (Server Components, Server Actions, Suspense, Kinde)

Uploading files in NextJs 13 using Server Actions

Next JS 13 Server Actions. Is it really PHP ?

Next.js 14 Server Actions | Everything you need to know!