The Problem with React Server Actions

แชร์
ฝัง
  • เผยแพร่เมื่อ 8 ม.ค. 2025

ความคิดเห็น •

  • @FunctionGermany
    @FunctionGermany 4 หลายเดือนก่อน +227

    next.js developers discovering basic web application design

    • @zaynelovecraft
      @zaynelovecraft 4 หลายเดือนก่อน +6

      Lmfao

    • @cb73
      @cb73 4 หลายเดือนก่อน +32

      Who would have thought you might want to make sure you’re authorized first before deleting users

    • @FunctionGermany
      @FunctionGermany 4 หลายเดือนก่อน +1

      @@cb73 auth is for chumps. i want to run SQL in my onClick handler.

    • @jessequartey
      @jessequartey 4 หลายเดือนก่อน +8

      skill issues

    • @ButtonWalls
      @ButtonWalls 4 หลายเดือนก่อน +3

      😂😂😂

  • @yadusolparterre
    @yadusolparterre 4 หลายเดือนก่อน +70

    This is not a "security breach", this is what they teach you on the first day of Coding 101. Do not trust the client.
    Just because you receive a request to delete a user doesn't mean that you should blindly accept it with no questions

    • @ayobomari8990
      @ayobomari8990 4 หลายเดือนก่อน

      Yes, it wasn't a serveur action problem at all.

  • @LotsOfFunyoutubechannel
    @LotsOfFunyoutubechannel 4 หลายเดือนก่อน +45

    Actual title should be: The problem with frontend devs doing backend

    • @ItsD3vil
      @ItsD3vil 4 หลายเดือนก่อน +4

      It’s madness! I swear, after seeing this, I feel more confident in my own skills. this is just ridiculous.

    • @cslearn3044
      @cslearn3044 4 หลายเดือนก่อน +2

      exact same people who are worried AI will replace them lol

    • @goncaloshred
      @goncaloshred 4 หลายเดือนก่อน

      ​​@@ItsD3vilthis is madness even to me that started learning fullstack just a couple months ago, and immediately understood that I need security in the server 😅

    • @bataragirsang
      @bataragirsang 4 หลายเดือนก่อน

      thisss

  • @patrickmullot73
    @patrickmullot73 4 หลายเดือนก่อน +58

    I think this is obvious to any serious web developer.
    Server actions are just syntactic sugar to normal http api. You have to take the same precautions

  • @gabrielmedina488
    @gabrielmedina488 4 หลายเดือนก่อน +114

    You would have the same problem with an API route handler if you don't validate whos performing this kind of operation

    • @BayarjavkhlanBatgerel
      @BayarjavkhlanBatgerel 4 หลายเดือนก่อน +1

      yeah we know but the reason why we use rsc is crushed

    • @KhadetouDianifabeOfficial
      @KhadetouDianifabeOfficial 4 หลายเดือนก่อน +2

      that what i was about to write

    • @wazzadev7209
      @wazzadev7209 4 หลายเดือนก่อน +3

      Exactly, we have to treat a server action like it's an API route

    • @benjamingoller6267
      @benjamingoller6267 4 หลายเดือนก่อน +3

      Isn’t this issue really obvious? Of course you can access a function that is called from the client at some point. I use server actions not because I don’t have to validate the request but because it is so (!) much nicer to write them instead of API routes.

    • @BayarjavkhlanBatgerel
      @BayarjavkhlanBatgerel 4 หลายเดือนก่อน

      @@benjamingoller6267 i see you are full nextjs developer when you working on rest api using server action is just more line of codes

  • @tjblackman08
    @tjblackman08 4 หลายเดือนก่อน +15

    Using a server-signed JWT in an http-only cookie and getting the requesting user id from there defeats this attack. Roll your own auth kids, at least once, to learn how it works...

  • @Karimz-69
    @Karimz-69 4 หลายเดือนก่อน +8

    To any experienced developer, this might seem obvious and not a security breach. However, for those who are new to the topic and may not yet have fully grasped this concept, this video can be incredibly helpful. It’s frustrating to see the community reacting in such a negative way instead of being supportive. We should encourage learning and sharing knowledge, not discourage those who are trying to improve.

    • @aleksander5298
      @aleksander5298 4 หลายเดือนก่อน

      skill issue, if you don't know how to code secury, do not touch backend then, stick with client code only pussy

    • @NorthFolkStudios
      @NorthFolkStudios 5 วันที่ผ่านมา

      I don't think the negative comments are about this video. This is a great video demoing and explaining the issue. The negative comments are more in disbelief that the referenced tweeter was developing a production app and wasn't familiar with this very basic concept of web dev. Further, they polled a large number of "developers" who also couldn't spot the issue.

  • @adnanearef2959
    @adnanearef2959 4 หลายเดือนก่อน +54

    It’s not really a security breach, If people read the docs patiently they would easily write an auth guard wrapper on all of their server actions before exposing them.
    Another easier way to protect our server actions, is to add the auth guard on the middleware and it will automatically work on all of the server actions too.

    • @Mheme-f7n
      @Mheme-f7n 4 หลายเดือนก่อน +21

      I only read the docs when there's a problem

    • @strmchsr1537
      @strmchsr1537 4 หลายเดือนก่อน +4

      If people read the docs.. 🤣

    • @adnanearef2959
      @adnanearef2959 4 หลายเดือนก่อน +3

      @@Mheme-f7n Trust me, you’d be surprised of how many mistakes your codebase got then 😂

    • @joshtriedcoding
      @joshtriedcoding  4 หลายเดือนก่อน +23

      "if people read the docs patiently" is a bold assumption

    • @iamAmeeeeeer
      @iamAmeeeeeer 4 หลายเดือนก่อน +3

      wait how does auth guard in middleware protect server actions? do u have any small code example?

  • @Innesb
    @Innesb 4 หลายเดือนก่อน +6

    The Next JS documentation couldn’t be more clear. “You should treat Server Actions as you would public-facing API endpoints, and ensure that the user is authorized to perform the action”.

  • @eft
    @eft 4 หลายเดือนก่อน +17

    sooo, theres no problem with RSC... just a problem with people not knowing how to protect their apis

  • @zuma206
    @zuma206 4 หลายเดือนก่อน +20

    This is web development security 101... YOU DON'T OWN THE CLIENT!!!
    I can't believe people are making this mistake at Netflix. I get that RSC and RSA have issues, but this one is a skill issue.

    • @cant_sleeeep
      @cant_sleeeep 4 หลายเดือนก่อน +1

      ‘use client’

    • @zuma206
      @zuma206 4 หลายเดือนก่อน +1

      @@cant_sleeeep exactly! it should be obvious

    • @joshtriedcoding
      @joshtriedcoding  4 หลายเดือนก่อน +14

      "use skill"

  • @farzadmf
    @farzadmf 4 หลายเดือนก่อน +6

    OMG! That's very good to know! Thank you for sharing

  • @andreasg.dpetersen4252
    @andreasg.dpetersen4252 4 หลายเดือนก่อน +4

    ALWAYS validate on the server, and you're safe.
    Completely independent of language or framework, always validate on the server. Done and done.
    Client side validation is JUST to improve the user experience and prevent just getting errors from the back-end.

    • @JohnBuildWebsites
      @JohnBuildWebsites 4 หลายเดือนก่อน

      It upsets me the amount of times I have needed to push back on backend devs trying to get frontend to handle validation.

  • @llenoben
    @llenoben 4 หลายเดือนก่อน +8

    Turns out someone forgot their auth check 😐

  • @eightyeightdays
    @eightyeightdays 3 หลายเดือนก่อน +1

    This seems like the perfect example of why you'd want separation of concerns.

  • @Ziko2687s8
    @Ziko2687s8 4 หลายเดือนก่อน +6

    Maybe server actions were marketed as this magic wand that eliminates the api, when in reality its just an abstraction for apis. Same rules apply!

  • @ItsD3vil
    @ItsD3vil 4 หลายเดือนก่อน +4

    Honestly, this is infuriating and reflects a fundamental lack of understanding of basic security principles. Deleting a user by just using a user ID? Is this what happens when you rely on a million libraries in your project? It's maddening to see how irresponsible the JavaScript ecosystem has become. They seem to rely blindly on libraries without grasping basic security concepts. It’s a shame, really. I'm so grateful I started programming with C-at least there I learned the importance of getting things right from the ground up.

  • @noahwinslow3252
    @noahwinslow3252 4 หลายเดือนก่อน +12

    You forgot to mention that other functions that are in the server actions are also exported and expose unintended functions to the users. The whole thing is definitely a vulnerability since a major point of using a framework is to avoid footguns and bad practices

    • @joshtriedcoding
      @joshtriedcoding  4 หลายเดือนก่อน +4

      man they are dangerously convenient

    • @noahwinslow3252
      @noahwinslow3252 4 หลายเดือนก่อน +1

      @@joshtriedcoding more over, even if you're aware of the issues, if you're working with a team that's new to nextjs or react, you cannot trust at all that they will understand the concerns.

    • @franka.agrazmartinez49
      @franka.agrazmartinez49 4 หลายเดือนก่อน

      @@noahwinslow3252 hey can you please expose better that situation? Are you trying to say that when I use sever actions all the function that I pass there are exposed and some users can call all the individualy functions that I used?

  • @ashatron656
    @ashatron656 4 หลายเดือนก่อน +5

    V interesting video mate, cheers! Would have been great if you demonstrated the solution to this problem too. Follow up vid? 🤔

  • @nasko235679
    @nasko235679 4 หลายเดือนก่อน +1

    Took me 3 seconds to find the problem, and I've been coding for a year and a half. No idea how people don't understand that whenever you're exposing ANY function to the client, no matter if it is a server action or not, the parameters of that function are interchangable by the client. That's why whenever you're doing any action that requires authentication or proof of ownership you do that on the server side and never on the client side.

  • @cb73
    @cb73 4 หลายเดือนก่อน +3

    Who would have thought you might want to make sure you’re authorized to delete users. Glad the community is on it.

  • @kyle-cs1dl
    @kyle-cs1dl 4 หลายเดือนก่อน +12

    The real security breach is allowing frontend devs to do backend

  • @dobroslav.radosavljevic
    @dobroslav.radosavljevic 4 หลายเดือนก่อน +4

    This is like the most basic thing you need to handle always when doing some backend stuff lol. It's not server action issue. This is how it works with any API endpoint, which accepts data. You need to validate the data, check permissions and then allow or not allow that action based on these checks.
    This is knowledge, that even junior backend developers should have, when they learn about backend basics and security.
    If this happened at Netflix to someone, I'm just laughing xd because the person should be fired on spot, if he make mistakes like this lol.

  • @FabioGamingFG
    @FabioGamingFG หลายเดือนก่อน

    the fact that a netflix dev had to find this out is insanity
    no shit its insecure if you dont sanitize and validate stuff

  • @Legend-bv3hi
    @Legend-bv3hi 4 หลายเดือนก่อน +1

    I also realised I was making this mistake when I was inspecting my server actions in the network tab and realising anybody could call them. I had initially started doing it the right way when I was using regular API Route handlers, but when I switched to server actions I decided to remove the security measures for extra performance 😅, good thing it never shipped to production.

  • @thelazycoder64
    @thelazycoder64 4 หลายเดือนก่อน

    I figured this out months back, I use server actions as a wrapper for calling the actual functions that does server side logic which is wrapped in a validation middleware(just a fancy wrapper function)

  • @bokunochannel84207
    @bokunochannel84207 4 หลายเดือนก่อน +1

    This not just react specific problem. Many nextjs/svelt projects on the wild are misconfigured.
    Quick fix would be just put everything behind proxy and redirect all post request to an authorization server.

  • @danish2462
    @danish2462 4 หลายเดือนก่อน

    This request header is not showing in newly created next apps. I guess they must have fixed this. However, it is always better to have some kind of authorization whenever dealing with sensitive APIs so that without any authorization the data cannot be manipulated

  • @RonnieDenzel
    @RonnieDenzel 4 หลายเดือนก่อน +1

    Ppl tend to forget that a RSA is a wrapper to an API route,you dont own the client

  • @kpr3729
    @kpr3729 4 หลายเดือนก่อน

    I agree with this take that just a simple auth is what generally causes this issue, this also applies to any web frameworks that follow the basic REST api concepts.

  • @PenguinjitsuX
    @PenguinjitsuX 4 หลายเดือนก่อน

    Very surprising to see something as simple as this happening at Netflix. Even worse is how many people are blaming it on NextJS as if it's a server action problem when its really just a general API design problem lol. I know that's not the intention, but those people tweeting about "server actions have security risk" if very misleading. I'm glad that you make sure to clarify in the video that it is a general server API problem that's not specific to NextJS.

  • @tusharsnx
    @tusharsnx 4 หลายเดือนก่อน

    Guess we need a way to setup middleware that would validate token/cookie/user before running the actual server action.

  • @thesunabsolute
    @thesunabsolute 4 หลายเดือนก่อน +1

    Wait... so... the guy didn't confirm that the parameter being passed from the client to the server was actually the user that was logged in? Isn't that web dev 101? You do a check server side AND client side that the user is who they say they are. All modern auth services offer both a client and server check for an logged in user. This seems like a non issue. Are we really at the point where devs don't know what their doing, and need extra guardrails in the framework? I sure hope not.

  • @gamingwolf3385
    @gamingwolf3385 4 หลายเดือนก่อน +1

    Really bad , but ok , i was doing this all the time , i have a function that give me the user session , i verify if user is logged in and so ok mutate data , if not return error with Unauthorized , errors will be catched by a closure that check the type of error and return a pretty error to the client , but now i will work more on authorization checks , thank you Josh

    • @iamAmeeeeeer
      @iamAmeeeeeer 4 หลายเดือนก่อน

      what do u use for sessions/authorization? any package or your custom authrorization?

  • @SSToor
    @SSToor 3 หลายเดือนก่อน

    first thing i thought, wouldn't you check on the backend if the user performing the request matched the user, and why in the world would you pass an user id when you already have access to who is logged in on the server

  • @wlockuz4467
    @wlockuz4467 4 หลายเดือนก่อน +1

    I am not a fan of RSCs or Next, but I don't see how this is particularly ties to those. Maybe the RSC pattern makes it easy to overlook these mistakes but at the end this is Authentication and Authorization basics 101. In this example replace Next action id with your custom endpoint like /delete-user and its the same problem.

  • @codewithmoses
    @codewithmoses 4 หลายเดือนก่อน

    This was great. Thank you for sharing.

  • @6ixty9
    @6ixty9 4 หลายเดือนก่อน

    In auth js by passing auth cookies we can validate user server side?🤔idk

  • @ExplicandoEn10Minutos
    @ExplicandoEn10Minutos หลายเดือนก่อน

    But this is solved by using a middleware, if we authorize users in the middleware then there is no need of validating on server actions

  • @tremblben
    @tremblben 4 หลายเดือนก่อน

    While most people in the comment section think this is trivial security good practices, Server Actions really blur the line of what is executed where. The best way to stay aware is to keep server actions in separate files, in a separate folder, and be aware nothing coming there can be trusted. When you start using Server Actions within other files, this is when it gets confused. I think they fucked up allowing to write 'use server' anywhere and run on the server. This is fucking crazy.

  • @AudaiAlFandi
    @AudaiAlFandi 4 หลายเดือนก่อน

    This doesn't seem like an issue with server actions like the twitter drama implied, it's one of the fundamentals of web servers to treat any `POST` input from the user pessimistically rather than optimistically.
    Don't use new programming patterns unless you fully understand them, especially in production environments.

  • @gdev007
    @gdev007 13 วันที่ผ่านมา

    @josh is there any way to cancel server actions, i am using tanstack query with server action but if one apis gets an error it should stop all next api calls but those are also in server and it couldn’t help me at all

  • @khvald
    @khvald 4 หลายเดือนก่อน

    Who would have thought that you need to authenticate the user before performing a critical action.

  • @tobitacklestech
    @tobitacklestech 4 หลายเดือนก่อน

    so you should do the authentication inside of the server action right?

  • @izumiosana
    @izumiosana 4 หลายเดือนก่อน

    Server action is a type-safety and seamless alternative to API.
    Absolutely you still need to validate the argument/payload like people do in the ordinary API!

  • @Mauaka
    @Mauaka 4 หลายเดือนก่อน

    I find a lot of comments in this video assumes that people know what they know. That everyone who watches these videos are senior full-stack developers. I have built several apps. and NextJS is my go-to framework. I might've fallen into this fault, because it is not a common-sense for my experience and skillsets.
    This is just a reminder for everyone that being nice is a free; and something we should make a bit more common-sensical.

  • @tony-ceee
    @tony-ceee 4 หลายเดือนก่อน

    Server actions is such a weird API - endless options to fail catastrophically, only to have such minor DX improvements.
    Everything around RSC is a pit of failure tbh, its crazy how much resources have been wasted for it.

  • @itsanishjain
    @itsanishjain 4 หลายเดือนก่อน

    ok so we can use bind. right and that's good?

  • @AudaiAlFandi
    @AudaiAlFandi 4 หลายเดือนก่อน

    That's what "Learn NextJs in 6 Days" gets ya.

  • @BonBaisers
    @BonBaisers 4 หลายเดือนก่อน

    Authorizing (!= authenticating) any server operation is basic and mandatory stuff. This is disturbing that this basic matter makes it to a blog post and a video from Josh.

  • @adel.dev.account
    @adel.dev.account 4 หลายเดือนก่อน

    Can you make an authorization tutorial using nextAuth?

  • @dihordev
    @dihordev 4 หลายเดือนก่อน

    Why focus on Next.js specifically? The concerns you raised apply to any backend application, not just Next.js. Server actions in Next.js are part of the backend, after all.
    For instance, if you create an API request using Ruby on Rails, Django, Go, or any other backend framework without proper authorization checks (as demonstrated in your example), you'll encounter the same security vulnerability-unauthorized deletion of users.
    This advice is more relevant for beginner-to-mid-level frontend developers rather than full-stack or backend developers using Next.js with server actions. The core takeaway is straightforward: 'Always validate on the server.' That's a fundamental rule that hasn't changed.

  • @relativelyrehan
    @relativelyrehan 4 หลายเดือนก่อน

    I fail to understand how not implementing "basics" is a security breach

  • @tstpierre1
    @tstpierre1 4 หลายเดือนก่อน

    This is a prime example of how so many self proclaimed programmers are really just frameworkers.
    This is basic entry level stuff.

    • @cant_sleeeep
      @cant_sleeeep 4 หลายเดือนก่อน

      nothing bad about being a frameworker

  • @jessequartey
    @jessequartey 4 หลายเดือนก่อน

    I don't think rsc is at fault here. anyone with good understanding of creating production ready api knows, every data received from the client has to go through some authorization and cleaning to prevent a lot things including creating a vulnerability. pro tip, use trpc/hono till you are really sure your rsc is not a security risk.

  • @manjime
    @manjime 4 หลายเดือนก่อน

    Tha's why you should use libraries like ZSA to have this always present.

  • @stevebendersky2056
    @stevebendersky2056 4 หลายเดือนก่อน

    So I just need to verify the JWT cookie?

  • @paw565
    @paw565 4 หลายเดือนก่อน

    I don't know how to make good form with server actions. I would love to see video about that!

  • @neoswann2143
    @neoswann2143 4 หลายเดือนก่อน

    I mean.. I normally get userID in the server action itself without exposing it to the client and no need to pass it as an argument, and then set up API Rules or RLS on my BaaS... thats supposed to be safe right..?

  • @magedibrahim1405
    @magedibrahim1405 4 หลายเดือนก่อน

    The problem isn't with just "Server actions". The problem can occur in API or LITERALLY ANYWHERE that takes input from a user. It's a "bad design" problem, not a "server action" problem. As a rule of thumb, user input must always be validated when used in a such crucial scenario.

    • @aleksander5298
      @aleksander5298 4 หลายเดือนก่อน +1

      its skill issue problem

  • @luiscarlosjayk
    @luiscarlosjayk 4 หลายเดือนก่อน

    Frontend developers discovering Backend. But beyond the joke. I think it could be better if Next.js documentation advice in their documentation for server actions that they should be treated as any other Backend API, which needs Authentication and Authorization mechanisms.

  • @M1a2n3o43
    @M1a2n3o43 4 หลายเดือนก่อน

    How would you authorize this request? I understand validation and sanitization using zod for example but how do i do this if i am using eg next-auth? How do i check who made the request and authorize it?

  • @benbowers3613
    @benbowers3613 4 หลายเดือนก่อน

    So can't this be solved by authenticating every request in middleware? I think the middleware.ts file applies to actions as well

  • @ricoaw500
    @ricoaw500 4 หลายเดือนก่อน

    how can someone forgot authentication middleware?

  • @SeanCassiere
    @SeanCassiere 4 หลายเดือนก่อน

    Yup, your mindset for server actions should be that of API routes. Everything for there on is just basic API security.

  • @JakobRossner-qj1wo
    @JakobRossner-qj1wo 4 หลายเดือนก่อน +2

    Bro, come on, that's no problem with server actions. That's an issue with the people using it (skill issue). Of course, you can't trust the input. How do you think will Next.js/React magically do the auth step? If you think it's cause of the bad design of server actions than just explain how next.js/react can fix it.

  • @mostafaprot
    @mostafaprot 4 หลายเดือนก่อน

    I don't look at this as a security breach tbh,
    First of all, this is a protected route that shouldn't be accessed by guests.
    Next, this request should go through a middleware, to check authorization.
    And last, request is accepted/rejected.
    Some devs are abusing server actions, server actions aren't a standalone backend.
    So, is it a breach ? :)

  • @codesera9416
    @codesera9416 4 หลายเดือนก่อน

    Hi josh I'm trying to join your discord server but this invite link is invalid or has expired is showing

  • @iced2916
    @iced2916 4 หลายเดือนก่อน

    How can this happen at netflix? I wouldn't say this is a problem with server actions, they are just an abstraction. It could never be a good idea to delete something without performing any validation such as token validation or permission validation

  • @koksikskkj7937
    @koksikskkj7937 4 หลายเดือนก่อน

    What if someone user formData?

  • @krzysztofkwolek5810
    @krzysztofkwolek5810 4 หลายเดือนก่อน

    Ummm, so people don’t know they should validate stuff now?

  • @tonero5651
    @tonero5651 4 หลายเดือนก่อน

    Soon enough people are gonna pick up Row Level Security as a soln for this problem

  • @balqaasem
    @balqaasem 2 หลายเดือนก่อน

    So the lesson is, ensure origin is userId

  • @refeals
    @refeals 4 หลายเดือนก่อน

    Funny how this is the reason people complained about RSC in the first place

  • @ziacodes
    @ziacodes 4 หลายเดือนก่อน

    skill issues... I do these checks even in API, why the heck I would not in server actions...

  • @Funstyle2910
    @Funstyle2910 4 หลายเดือนก่อน

    Does anyone have a good guide on how to build good authorization in an api/server action to avoid this?

  • @j2isndhu
    @j2isndhu 4 หลายเดือนก่อน

    Great video, I would have shown the solution though

  • @sulavbaral9972
    @sulavbaral9972 4 หลายเดือนก่อน

    I mean this can be a problem with API's as well

  • @imransefat8770
    @imransefat8770 4 หลายเดือนก่อน

    you mean basic web security?

  • @austincodes
    @austincodes 4 หลายเดือนก่อน

    Yeah this one's pretty obvious but I can see how server actions make it easier to make this mistake

  • @krauterfrischkase8939
    @krauterfrischkase8939 4 หลายเดือนก่อน +1

    Thats what I predicted when you let frontend developers write backend code on accident 😂 Wait until they find out about SQL injection. History repeats itself. This is so basic, it’s the first chapter of every backend tutorial.

  • @Zamaraw
    @Zamaraw 4 หลายเดือนก่อน

    Sooooo, several years and modern next.js developers are comes to php with MVC pattern)

  • @adejoh6650
    @adejoh6650 4 หลายเดือนก่อน

    I always do proper authorization!!

  • @wriddhihazra
    @wriddhihazra 4 หลายเดือนก่อน +4

    This is why I will always prefer using proper API endpoints and querying them with something like react-query to perform mutations instead of this hacky server actions approach. Heck I can even just write a middleware that just intercepts and authorizes all requests to my critical endpoints, making me need to write it only once instead of remembering to repeat it on every endpoint/action

    • @PraiseYeezus
      @PraiseYeezus 4 หลายเดือนก่อน +4

      Server actions aren't "hacky". They are POST requests from a form, a pattern that has been done in web development for many years.
      The only new thing is that now React devs who typically didn't have to think too much about API security now have to.

    • @hammadXP
      @hammadXP 4 หลายเดือนก่อน +2

      Problem isn't server actions, it's when you go lazy to implement proper authorization checks for every database mutation

    • @tomjones8293
      @tomjones8293 4 หลายเดือนก่อน

      @wridhihazra the problem is you are one of those one-trick ponies that this planet earth has millions of them. lazy thinker to advance just comfy with one thing. humanity would be extinct if all behaved like you. please edify yourself young man. learn new things be curious hope this helps .all come with good intentions...peace

    • @iamAmeeeeeer
      @iamAmeeeeeer 4 หลายเดือนก่อน +2

      if u would just validate server actions the same way as API endpoints they are still more convenient.

    • @wriddhihazra
      @wriddhihazra 4 หลายเดือนก่อน

      @@PraiseYeezus I agree but I'm saying this is like taking a step back into the old php kind of way to handle form submissions. There's no way to cleanly apply some sort of middleware to each server action now is there? So each server action will need to call another additional function at least to verify auth before doing it's own operations, which is easy to forget

  • @falasefemi3344
    @falasefemi3344 4 หลายเดือนก่อน

    Thanks for sharing

  • @maccalsa1
    @maccalsa1 4 หลายเดือนก่อน

    Disagree: This is a next js issue. Josh, along with all these other meta frameworks, which make it so easy to write code without understanding what runs where.
    Meta frameworks lower the barrier for less experienced developers to write code that "works" but is easy to hack.
    You actually say yourself that if you were writing it in a traditional manner, you would be thinking of protecting the client, protecting the server

  • @fueledbycoffee583
    @fueledbycoffee583 4 หลายเดือนก่อน

    So you are saying the front dev that did a "3 week full stack BootCamp" doesn't know anything about security? Who would have known? In a serious note. this a security hazard in any API design. be graphQL, REST, etc. you always need to check who is calling what. I actually like python better for this because you can use the decorator pattern. you can create a function decorator and that checks the request before letting it pass to the route. in that decorator you can check user role. if the request even has a user, auth, etc

  • @remiguillard3773
    @remiguillard3773 4 หลายเดือนก่อน +1

    sorry, is not a security problem, is the same as you get params in url :id for getting the current user, you have to get the user id from the auth token middleware in the use server action, that just a bad design system

    • @iamAmeeeeeer
      @iamAmeeeeeer 4 หลายเดือนก่อน

      literally my thoughts😭, that was such a rookie mistake that i would fire that person at netflix

  • @LutherDePapier
    @LutherDePapier 4 หลายเดือนก่อน

    So the problem is people can't do their job right server-side.

  • @dogcodes
    @dogcodes 4 หลายเดือนก่อน

    What headphones do you use Josh?

  • @oszi7058
    @oszi7058 4 หลายเดือนก่อน +1

    so that's a problem every api has..........................................................

  • @MatiasBaldanza
    @MatiasBaldanza 4 หลายเดือนก่อน

    The thing is, authentication and authorization is like the bread and butter of API design. I suppose we could offload this check into middleware, like Express does? th-cam.com/video/N_sUsq_y10U/w-d-xo.htmlsi=hIe_EGpO2KYeVf1N&t=278

  • @_ingadi
    @_ingadi 4 หลายเดือนก่อน

    ZSA procedures ftw

  • @MengLinMaker
    @MengLinMaker 2 หลายเดือนก่อน

    The issue was caused by skill issue.

  • @includenull
    @includenull 4 หลายเดือนก่อน

    Water is wet and unsecured endpoints are not secure. I'm not sure why any developer should be "discovering" this, it's like web development 101.
    The fact that people like the authors of the tweets you showed at the start are making these stupid oversights too shows a larger systemic problem, or just that they are primarily frontend devs who never think about security.

  • @s0fcat
    @s0fcat 4 หลายเดือนก่อน

    I still don't understand why people use server actions and server components as an actual API instead of making it as some middle layer between frontend and backend to handle some complex CLIENT!-side logic. Why do they code backend-related stuff on frontend? This pseudo-fullstack thing has gone too far. Frontend must be frontend, backend must be backend.

  • @Ss-zg3yj
    @Ss-zg3yj 4 หลายเดือนก่อน

    Had no idea Netflix devs are so bad...I mean c'mon, are you serious? Security breach? Ahahahaha

  • @AHMED-et7md
    @AHMED-et7md 4 หลายเดือนก่อน

    User Permissions Crying in the Corner

  • @rajausamah7569
    @rajausamah7569 4 หลายเดือนก่อน

    Lol i used to save jwt token on local storage

  • @GurbyTheGreat
    @GurbyTheGreat 4 หลายเดือนก่อน

    This is Weaponized incompetence