React's most dangerous feature

preview_player
Показать описание
It pains me how little people understand "use server". Enough so to trigger a rant. Ugh. Hope this helps. Server components are DIFFERENT, not HARD.

SOURCES

S/O Ph4se0n3 for the awesome edit 🙏
  1. Theo - t3․gg
  2. web development
  3. full stack
  4. typescript
  5. javascript
  6. react
Рекомендации по теме
React's most dangerous 0:26:37

React's most dangerous feature

Top 10 Most 0:13:33

Top 10 Most Dangerous Water Slides

Doctor Reacts To 0:11:45

Doctor Reacts To The Most Extreme Diets | Freaky Eaters

GIANT 7 feet 0:00:25

GIANT 7 feet 2 inches tall Dutch Giant - reaction in Amsterdam to the bodybuilder!!! Wow that's...

Doctors React To 0:10:29

Doctors React To Horrifying Old Medical Devices

Rarest Things On 0:08:16

Rarest Things On Earth!

ER Doctor REACTS 0:12:29

ER Doctor REACTS to MrBeast Most Dangerous Challenges (PART 2)

This VR game 0:01:00

This VR game becomes a prank! #shorts

UNIQUE FEATURES Only 0:10:05

UNIQUE FEATURES Only 1% OF HUMANS HAVE! (LANKYBOX REACTS) *UNBELIEVEABLE*

BeckBros React To 0:14:39

BeckBros React To The Most DANGEROUS SCP FIGHT of ALL TIME (SCP-3700)

NEVER buy from 0:00:46

NEVER buy from the Dark Web.. #shorts

Countries now 2023 0:00:35

Countries now 2023 vs Future 2100 #Countryballs #Countriesfuture

Doctor Reacts To 0:11:42

Doctor Reacts To Bizarre Health 'Hack' Videos

How Dog Breeds 0:03:13

How Dog Breeds React to Robbers Part 2 (With Pictures)

ER Doctor REACTS 0:08:55

ER Doctor REACTS to DEADLIEST Foods That Can Kill You

Things that humans 0:00:24

Things that humans were never meant to see😳 #shorts

Things humans weren’t 0:00:18

Things humans weren’t meant to see😰 #shorts

Human evolution 0:00:43

Human evolution

Zodiac Ship Dynamics 0:00:12

Zodiac Ship Dynamics (part 1/2) #zodiac #zodiacsigns #ship

Country Stricter Than 0:00:47

Country Stricter Than North Korea #shorts

Shillong girls gone 0:00:16

Shillong girls gone crazy after Modi's bodyguard squad #modi #modiinshilong #bodyguards #Shillo...

Tatsumaki anime or 0:00:19

Tatsumaki anime or manga?

World's *RAREST* Things 0:09:01

World's *RAREST* Things ONLY 1% of Humans CAN DO!

Referees now vs... 0:00:48

Referees now vs... #shorts

Комментарии
Автор

I'm primarily a backend dev, and so I am always extremely careful about auditing what any external api's do. I did not, however, realise that every "use server" was in effect creating another api. Now if you'll excuse me, I have several codebases to audit.
Thanks for the heads up.

LadyEmilyNyx
Автор

Inplicitly creating endpoints is the problem. The more things you make implicit in a framework, the greater the opportunity for a nightmare to be created.

zactron
Автор

"When you're exposing things with 'use server', you have to assume that th[e] function can be run by anybody. I think a lot of the issue that's happening here is that web developers aren't used to dealing with access control."

Great video, as always, but IMHO, this is the TL:DR of this video, and maybe it's worth its own reel/short.

kylemichaelsullivan
Автор

As of 8/22 the Next team has put out a fix for this issue via tree shaking unused action ids, and I think it’s being backported to v14

There’s a deeper problem imo around the design of having implicit endpoint creation, but it’s nice this specific problem is fixed

RhysSullivan
Автор

RSC is such a developer experience disaster. Too much magic and confusion of where your code runs. Having concrete application boundaries is a good thing!

James-rybo
Автор

I feel like "use server" should have some sort of mandatory access level argument

MilesFlavel
Автор

Theo the type of guy to explain a problem for 10 minutes only to be like : " yeah so we ARENT gonna talk about this actually, this is completely different"

yashkhambhatta
Автор

JS devs seem so odd to me sometimes. They berate people for using HTMX cause it breaks separation of concerns, but then they just blatantly throw server side code into their client side files?

RoyaltyInTraining.
Автор

Maybe they should invent an HTTP header for Authorization. They mustn’t have thought about it…

steverude
Автор

Part of the issue here is overloading the export keyword to mean two different things: to create an endpoint and to allow it to be called from other modules. I feel like it's an unnecessary footgun in the design.

ventic
Автор

25:15 if code review is your only line of defence against something, you're not well defended against it, because for a ton of people it's "just a job" and they don't care to fully understand every detail in changes they review; mistakes and oversights are a big reason for security breaches.

ventic
Автор

They basically recreated AspNet WebForms.
It only took 15 years and the pendulum came back to server components entangled .

monad_tcp
Автор

How long until NextJS reinvents Express middleware? :)

Also, isn't one of the top engineering rules in *any* system to default to a safe or secure mode? Like railroad crossings defaulting to enabled, or door magnets turning off with loss of power?
Shouldn't it be defaulting to not exposing your endpoints unless you tell it to?

DarkSwordsman
Автор

I kind of understand the use of "use server", but is kind of complex to maintaining as the app keeps growing, I prefer a separated backend, and not doing sql querys inside the actions, instead calling my backend that needs authorization that don't care about the exposes endpoints on nextjs, that way, I don't have to worry about those security issues that next js has.

lidinzx
Автор

I don't know, man; it looks leakier than my 43-year-old toilet in my apartment. There's no way every developer can keep up with every exposed point.

BobKane-gx
Автор

NextJS suffers from the same thing most large web frameworks do. Complexity. In an effort to make things "easier" they've actually made it very complex. So much so that people often do incorrect things because they don't really understand the complexity.

echobucket
Автор

React keeps making various forms of useEffect footguns lol

memeteamdreamteam
Автор

In our team, we always end our filename with .server for server run code. For example, actions.server.ts

bosung
Автор

Everyone says controll your Access but everyone falls short of Showing how to do it correctly. My loved example is a Company Blog system, one user writes a Article and sets the state to review and then a other user can change/publish the Article. Not to simple and not to Complex to show every Access Controll you need. The best part is how you design the Article flow changes the AccessControll

PpVolto
Автор

separation of concerns went from html and css in js, to backend in frontend really quick. what a mess.

khaled_osman