React's most dangerous feature

00:00

if you care about security for your

00:01

nextjs app stop using top level use

00:03

server it's way too easy to leak data

00:06

top level use server creates endpoints

00:08

for all exported functions even if

00:10

they're never used on the client one

00:12

accidental export can cause a ton of

00:15

damage oh boy y'all probably expect me

00:18

to come out here super defensive like

00:20

I'm the forell guy right they pay me so

00:23

I'm going to come out and just say this

00:24

is all fine this video is not sponsored

00:26

for a sell has no saying what I say here

00:28

they might even be mad at me for as I'm

00:30

going to say because I almost entirely

00:32

agree with Reese this is scary and we

00:35

should understand what these tools do in

00:37

a deep way because it's not as obvious

00:40

as one might think let's dive into this

00:42

and what's going on because I think it's

00:44

important for us to understand before we

00:46

go any further I want to make sure we

00:48

understand what US server does because

00:50

us server does some slightly different

00:52

things in slightly different ways

00:54

there's some education to be had here so

00:56

we're going to make a form and in this

00:58

form we'll have a button type A submit

01:01

and the form will have an action which

01:04

this is where actions become useful

01:06

we're going to go in here we're going to

01:07

mark this is use server and we're going

01:09

to console.log I'm on the server my

01:13

mistake async cool so now we have here

01:16

I'll open up the console because when I

01:18

hit this window's not defined because

01:21

that code ran on the server not on the

01:22

client so if I go back and delete window

01:25

and run this

01:26

again that code runs on the server see

01:29

I'm on on the server what used server

01:32

does is it tells the nextjs compiler hey

01:36

this function isn't a traditional

01:38

function this isn't just for you to call

01:40

between different places in the same

01:41

service use servers effectively a door

01:44

that enables client side code to hit

01:46

this serers side function it might make

01:48

more sense if I break it out a little

01:50

here so if I was to async function

01:53

handle

01:56

submit we can do the same thing in here

01:58

with the use server and then I pass this

02:00

handle submit function to the action

02:02

instead and it does the same thing

02:05

things can get a little interesting once

02:07

we're composing stuff though so first

02:10

off if I Define this function in here

02:12

let's say there's a variable that's

02:13

defined when the page renders like con

02:15

some number equals math. random time 100

02:19

now we have this number we want to log

02:22

it so we put that there and now when we

02:24

submit and we go to the console code I'm

02:26

on the server here's the random number

02:28

since this comp component has context

02:31

not literally react context but it has

02:34

the context of this number that's unique

02:35

to this render because theoretically

02:37

every time somebody renders this page

02:39

they're going to get a different number

02:40

we can prove that by saying

02:43

console.log rendering with some number

02:46

so now when I load this page it rendered

02:49

with 3.9 whatever and then if I submit

02:52

it's submitting with 3.9 the reason it's

02:54

able to do that is it's actually

02:56

embedding that number that value that we

02:58

have in the closure here inside of the

03:00

form so that when it calls this function

03:03

it has access to that data it's almost

03:05

like we we moved this out here and then

03:08

in here we have an input that has a

03:10

default value that is some

03:13

number the reason that this works this

03:16

way is so we don't need to know the

03:18

context of what existed in the component

03:20

when you call that function at first it

03:23

wasn't encrypted which made this

03:24

horrifying but now I actually kind of

03:26

like it I have these items and I want to

03:29

be able to list them we've all done this

03:30

before items. map item thank you super

03:33

Maven for being based as always so here

03:36

we have items. map item key item id item

03:40

cool and if we go back to the page 1 2 3

03:43

here's where things get interesting what

03:44

if I want to be able to delete any one

03:46

of these if I want a little delete

03:48

button on the side here this is where I

03:50

actually think the composition of

03:51

actions gets really

03:53

cool submit uh we're going to make this

03:55

an x button also going to class name

03:59

flag X Gap 4 just put space between them

04:02

so I have that little x button nice

04:04

action

04:06

equals async use server and since we

04:10

have the context of what id we have here

04:13

it's actually quite easy I should also

04:14

make this a let just to make it easier

04:16

or items equals items. filter and then

04:20

revalidate path Che to import cool so

04:24

what's happening here is since the ID of

04:27

this item exists in the props being

04:30

passed to this component it's actually

04:32

included in the scope of the form so

04:34

that we can just call the ID we passed

04:36

to this component it's actually magical

04:38

in the sense that we have this simple

04:39

items function this could be a row and a

04:41

table anything like

04:43

that this is so so so convenient because

04:47

now I can just dump you server here I

04:50

can call props the same way I would in

04:52

any other function in here and this just

04:54

behaves so if I go here we can take a

04:56

look at these items and you'll see each

04:58

of these forms has some data embedded in

05:01

it or it should yeah so each of these

05:04

has this hidden data and that hidden

05:06

data is just the ID for the thing that's

05:09

being incl included in the scope there

05:11

so now if I hit delete on any of these

05:14

it removes it it's that simple and that

05:16

is a magical pattern it makes enclosures

05:18

of concerns and the architecture of your

05:20

stuff really really clean if you have

05:22

let's say a table and you want a delete

05:24

button that you just pass a prop to now

05:27

that delete button can own Its Behavior

05:29

the catch is that in order for that to

05:31

work it has to include the context of

05:34

what that has whatever is enclosed in

05:37

that functions like closure inside of

05:39

the form but it does it encrypted so you

05:41

can actually see the value so although

05:43

this might seem scary this actually

05:45

pretty safe where do I think this

05:46

problem could actually happen is an

05:48

important question I should probably

05:49

have answered earlier so I'm going to

05:50

answer it now let's say that the

05:51

sensitive data function isn't actually a

05:53

do not use it's an internal so we want

05:55

to use this internally notice that I

05:57

deleted the export the reason is

05:59

anything doing stuff internally like

06:01

this we don't want exported we

06:03

explicitly don't want this to be

06:04

accessed other places so the solution

06:06

here would be to export a different

06:08

function that calls this so we have

06:10

export async function user access data

06:15

and here we grab the headers we check

06:17

that it's a secured user and then we

06:19

call the internal sensitive data

06:20

function anything that has the word

06:22

export should do a security check like

06:24

this the thing to look for if you're a

06:26

code reviewer working in code bases like

06:27

this is making sure anytime an export in

06:30

an action file or in something marked

06:32

you server that everything exported has

06:34

an authentication check of some form and

06:37

if it's not exported it doesn't matter

06:39

this isn't exposed only the exports are

06:41

exposed the way that this would become a

06:44

mistake the way this could potentially

06:45

be an issue is if I'm a Dev working on

06:48

another file here like other actions. TS

06:51

and I need this internal sensitive data

06:53

thing I might blindly go here and Export

06:56

it so I have access to this in another

06:57

file and now I've just made that an end

06:59

Point even if I'm using it internally

07:01

for something like this that's the scary

07:03

unintuitive part that is going to cause

07:05

issues if you're looking for where the

07:06

problem exists that's where the problem

07:08

exists if you blindly go export

07:11

something that shouldn't be exported and

07:12

then that's missed in code review that's

07:14

a red flag that can cause problems

07:16

that's a Thing Worth looking for but

07:18

that's the only case I can imagine where

07:20

this would be a problem is doing

07:23

something is inocent as exporting this

07:24

function that we're using internally

07:26

here exposing this so the way I would do

07:29

this is is I would have something like a

07:31

utils function so utils TS I might even

07:34

put a comment on top that's like do not

07:36

export this file and then import server

07:39

only now we're sure this file is only on

07:42

the server and won't be used servered

07:44

not use server this file now we're

07:46

certain that won't happen now I can call

07:48

this internal function in other places

07:50

and even though it's exported it's not

07:52

exposed because it's exported from a

07:53

file that doesn't have us server I hope

07:56

that makes it clear where the problems

07:58

could be here and what could cause this

08:00

but I promise you this is just the

08:02

graphql problem of security again I just

08:05

wanted a long tangent because I want to

08:06

show you guys that this isn't actually

08:08

what we're talking about today if I

08:10

wanted to move this out let's say I

08:13

wanted this delete button in another

08:15

file because separation of concerns is

08:17

super important we'll make an actions.

08:20

TS file and here well I guess I can't

08:22

really use items because items was in

08:24

the context of that so let's come up

08:25

with a different example let's say

08:27

instead of screwing with items it will

08:29

just I don't know

08:32

console.log user was here we'll make

08:35

this more proper export async function

08:39

or user visited cool something like that

08:43

so now you have this export async

08:44

function we could put the use server

08:45

here but I don't think we're able to

08:47

import that I'm actually curious if this

08:50

works or

08:51

not okay that does work cool so if you

08:55

want to put a function different file

08:56

Market your server this way and Export

08:58

it that all works fine the other way you

09:00

can do this though is putting the use

09:01

server up top like this so now we have

09:03

this export async function user

09:06

visited and if we go here and click the

09:09

buttons user was here user was here that

09:12

all works the Ed server on the top here

09:15

is effectively telling the compiler hey

09:17

any Asing functions in this file should

09:19

be treated the same way an action is

09:21

treated in an existing file so when we

09:23

put the US server up here we are telling

09:25

react hey these functions can be called

09:27

like end points these can be post Ed to

09:30

which is an important detail here I want

09:32

to be clear though you can't just write

09:34

this in a client file so I can't like

09:36

have use client up top and then use

09:39

server in here because use client is

09:41

saying we're sending this Javascript

09:43

file to the client use server is saying

09:45

we're exposing this function to the

09:47

client so they're different things

09:49

entirely I know it seems like they're

09:50

similar because their names are so

09:51

similar they're not so where's the

09:54

danger here well sometimes when you're

09:56

exporting from a use server file the

09:58

behaviors aren't very intuitive the

09:59

first one is let's say that we wanted to

10:01

do the items thing again so we'll Define

10:03

items in here and we'll export it too

10:06

well now we're going to get an error

10:07

because you can't actually export

10:09

anything but a promise from a use server

10:11

tagged file because they don't want you

10:13

to use this to expose things like data

10:15

like classes like components they want

10:17

you to expose this as functionality as

10:20

endpoints effectively so what is the

10:24

issue here then if we can't export

10:25

things we shouldn't and we can't export

10:27

functions what's the problem well let's

10:28

say there's a fun function in here we're

10:30

not ready to export like sensitive data

10:33

we'll even do uh do not use sensitive

10:37

data and in here we'll log let's go make

10:39

a fake environment EnV sensitive data

10:44

equals I hope this doesn't leak so now

10:47

we have this sensitive thing in the

10:48

environment we can even log it here env.

10:51

sensitive what did I call sensitive data

10:54

process. sensitive data so if we go here

10:58

we're not going to like have that get

11:00

hit or anything like we aren't running

11:02

that function I'll change this to

11:05

sensitive do not touch and maybe we even

11:08

return that sensitive data process. EnV

11:11

do sensitive data so now we have this

11:13

we're returning this sensitive data but

11:15

we're not binding it anywhere we're not

11:16

calling this we import the the user

11:19

visited function but we're not importing

11:21

this so what's the issue well the issue

11:24

is that the way the compiler works is

11:26

for every route it goes through all of

11:29

the imported files to see in order where

11:33

the U server calls are the way that this

11:35

effectively works is when the compiler

11:38

runs it goes through each of the

11:40

different places that a U server exists

11:42

in the file tree for that route so if

11:45

this route has an import to actions and

11:48

in here we have two things that are use

11:51

server tagged this would be the

11:52

equivalent of effectively putting this

11:54

here and here basically the same thing

11:56

so now this is id1 this is ID 2 even

11:59

though this one isn't used it is still

12:01

exposed and it is still creating an

12:04

endpoint so to speak for that function

12:06

anytime you have a use server function

12:09

that is imported and in the import tree

12:11

of a given route it is now exposed as an

12:13

endpoint even if you don't directly bind

12:15

it because what this is effectively

12:17

doing is letting you post to that page

12:20

route and have it run the code that

12:22

you've bound I wanted to confirm that if

12:24

you don't import the file on a given

12:26

page this won't be a problem which is

12:28

the case so this page demo doesn't

12:30

import any actions so it doesn't have

12:32

this the actions that are defined on a

12:34

route are specific to that route so we

12:36

did import the actions file here so

12:39

these actions are included on the root

12:41

slash route but on the SL demo route

12:44

they're not included because I didn't

12:45

import any actions here so what do I

12:47

mean by included that's a great question

12:49

and we're going to elaborate on that now

12:51

so here we have that root route again we

12:53

have the buttons that don't do anything

12:55

at the moment and if we take a look at

12:57

the code for these well actually see if

13:00

I search that again that we have some

13:03

stuff here that includes it specifically

13:04

this page JS file very interesting let's

13:07

grab the contents of that quick in here

13:10

if I look for that ID which I'll grab

13:12

again here remember all of the actions

13:14

have an ID assigned to them so that the

13:16

react code on the server knows which

13:19

action each form is attached to because

13:21

all of them are just posting to the same

13:22

endpoint so they're using these IDs to

13:24

figure out which action you actually

13:26

want to run and here we see oh no do not

13:29

use sensitive data it's actually

13:31

included in here that's scary what's

13:33

even scarier is that we can hit that you

13:36

know what let's just do this as a curl

13:37

why not I'm going to delete the cookie

13:39

because we almost certainly don't need

13:40

that what we do need is to identify the

13:42

action just pasted the curl and here we

13:45

get a response undefined if we were to

13:47

go add a response to the action uh

13:50

return cool data hello world now we get

13:53

back data hello world as the response

13:55

from that curl call reminder this curl

13:58

call is just me going to the browser

14:01

rightclick copy as curl for that request

14:04

that I did so what happens if we swap

14:06

that ID well I already have the command

14:07

where I swapped it you can see the 6dd

14:09

here so we're going to run this instead

14:11

oh subscribe to Theo what happened oh

14:15

sensitive data got changed hopefully

14:17

you're already subscribed or you're

14:18

going to deal with leaks like this in

14:19

the future make sure yourself secure hit

14:20

that sub button anyways the issue here

14:23

is very simple but also easy to miss if

14:26

you're not paying enough attention when

14:27

you write these things since us server

14:28

is effectively saying everything in this

14:31

file is now exposed as an endpoint this

14:33

is exposed even if we're not using it we

14:36

got a good point here from Emmy in chat

14:39

is it really a bad thing to have someone

14:40

able to enumerate your end

14:43

points that's a really good question it

14:45

depends on how your stuff's architected

14:47

this is effectively the graphql problem

14:50

where if you have anything in your

14:51

graphql schema every user can at least

14:54

call it the solution to a problem like

14:56

this is to have an off check of some

14:58

form we have have data from this call

15:00

being hit and we can use that data to

15:03

verify that this user is the right user

15:05

we have access to headers so if I import

15:08

headers from next I don't know what do

15:10

we want to have is the header we'll say

15:12

that there's a secure header that we'll

15:14

check for if we won't do X forwarded 4

15:17

we'll say secured user does not equal

15:23

key then we'll immediately throw error

15:25

not a secured user otherwise we'll pass

15:27

it so if we do a check like this and I

15:29

go back here and I call this again we

15:31

get this error response because this

15:33

error was thrown to us because we

15:35

shouldn't have been able to do that and

15:36

you can see the error in that response

15:37

of not a secured user but if I instead

15:40

just return data you're not a secured

15:42

user same deal data you're not a secured

15:44

user if I go back to that curl request

15:47

and we manually happen to know what that

15:49

header is secured user and now we have

15:52

that in here if we run this again data

15:55

subscribed to Theo because we are

15:56

actually validating that this user has

15:58

permit in this case using the secured

16:00

user header but you could use anything

16:02

like cookies the same way so the lesson

16:05

here is first off make sure you

16:08

understand what these things do before

16:09

you use them use server is turning all

16:11

of these functions into endpoints that

16:13

users can hit which emphasizes the

16:15

importance of one big key thing make

16:18

sure any action you create verifies the

16:21

user has permission to do the thing if

16:23

you don't want users to hit this

16:25

sensitive data function make sure you

16:27

check because effectively every user

16:28

user can hit this function when you're

16:30

exposing things with us server you have

16:32

to assume that this function can be run

16:34

by anybody I think a lot of the issue

16:37

that's happening here is that web

16:39

developers aren't used to dealing with

16:41

Access Control they're used to these

16:42

functions being automatically handled

16:44

with off because a backend Dev did it or

16:47

they're using something like crate T3

16:48

app where we handle it for you with

16:49

secured procedures if you're writing

16:51

these us server calls yourself that

16:53

means you're writing API endpoints

16:55

yourself we are defining an API here the

16:57

same way we would graphql in fact

16:59

graphql has these same problems times 10

17:02

so we need to make sure in all of these

17:04

functions that the right people can do

17:06

them and as a code reviewer as a in the

17:08

no Dev that's watching videos like this

17:11

this is kind of your responsibility

17:12

we're no longer just writing JavaScript

17:14

for the client if we are using these

17:16

functions if we're taking advantage of

17:17

these core features in the new react

17:19

model it is important for us to go out

17:21

of our way to make sure anything we're

17:23

exposing to users is secured and I'll be

17:26

honest this even bit us before when we

17:27

first did the early early access of

17:29

upload thing we weren't authenticating

17:31

our actions well enough because we

17:33

assumed if you can't get to the route

17:34

you can't use the actions which was a

17:35

mistake we learn these lessons as a

17:36

community and I really want to push

17:37

these points so I'm not the only one

17:39

getting burnt by it if you're not

17:41

authenticating the functions then anyone

17:43

can hit them Ryan Florence jumped in

17:44

with a spicy take and honestly I think I

17:46

agree this doesn't concern me use server

17:49

means turn these exported functions into

17:50

endpoints for the client once you know

17:52

that you won't export a function with

17:54

sensitive data I get that when you're

17:55

new to it you might export a function

17:56

you didn't intend to be an endpoint yep

17:58

and and then it's up to the framework to

17:59

salt and sign the IDS it sends the

18:01

client just like sign cookies yada yada

18:03

I think it's cool great abstraction

18:04

would you really trust a code base with

18:05

a thousand people working on it for all

18:07

of them to not make this mistake uh yeah

18:09

I personally think once you have a code

18:11

base of that size you're almost

18:12

certainly doing a really good job of

18:14

auditing and linting these things like

18:16

my personal understanding is that these

18:19

problems always exist in big code bases

18:21

especially with again I hate to keep

18:23

poking at graphql but it is so guilty of

18:26

this problem so the graphql schema like

18:28

this where we have

18:29

not only do you have to verify and

18:31

validate company you have to validate

18:33

every one of these fields because let's

18:35

say some users have access to name and

18:37

address but not offices some users have

18:39

access to offices some users have access

18:41

to specific offices now not only does

18:44

every type every object have to be

18:47

handled like with authentication every

18:50

single field needs to be validated this

18:52

is the reality of backend Dev you always

18:55

have to check permissions when you do

18:57

anything and the that's unintuitive for

19:00

web devs is that use server means that's

19:02

an endpoint that's an endpoint all of

19:05

these are new API endpoints being

19:06

exposed the risk here isn't so much this

19:09

is a unique problem that doesn't exist

19:11

in other places and only exists in react

19:13

and server components and next the

19:15

problem here is that web developers used

19:17

to using next purely for frontend stuff

19:19

and then hitting an API that someone

19:21

else made with all of these off things

19:23

already handled they're diving into you

19:24

server and treating it the same way they

19:26

would hit an external endpoint like to a

19:29

Dev that's not familiar and is used to

19:31

just writing these things with an

19:32

existing backend this to them feels like

19:34

the equivalent of I don't know let's say

19:37

we have an async function here it's not

19:39

used client and we have some data const

19:42

data equals await Fetch api. ours.com

19:48

sdata and they use this data for

19:50

something to a new Dev using these

19:53

things this feels the same as calling a

19:55

server action to get that data they're

19:57

not used to thinking about about API end

20:00

points as a thing they have to own

20:02

manage and authenticate ree is pushing

20:04

back a little bit saying the focus on

20:06

auth informs is the wrong takeaway

20:07

because you can't put off on things you

20:09

don't know exist half agree I think that

20:12

the our duty as devs is the same way if

20:15

we have I don't know here where we're

20:18

exposing all of these things through the

20:20

switch statement we're just taing back a

20:23

bunch so when you use us server you're

20:25

just doing this but you've deleted that

20:29

that and

20:30

that it's still the same thing but it's

20:33

important to understand that when you do

20:36

use U server you're exposing all of

20:38

these things as end points and ideally

20:41

you're auditing these things as well

20:42

what a surprise CJ already made an es

20:44

link plugin which disallows top level

20:46

use server so if you don't want this

20:48

feature if you don't want this risk you

20:50

can use this plugin to guarantee Nobody

20:52

Does it and even use this plugin and

20:54

then override it in certain files saying

20:56

okay these files can do it but others

20:58

can't these are the issues yeah also 3

21:00

minutes ago great job CJ for those who

21:02

don't want this you now have a lint rule

21:04

to ban it really cool the same way that

21:07

this exists with basically any backend

21:09

technology code review is really

21:11

important if there's a file that has a

21:13

used server on top you need to make sure

21:15

every function exported is also

21:17

authenticated very very important and

21:20

it's a common mistake for that to not be

21:22

the case but I see this more in graph

21:24

CUO than I do in react just make sure

21:26

when you're exposing end points that

21:28

you're making sure the user should be

21:30

using that endpoint there's a great blog

21:32

post by Sebastian markb the wizard who

21:34

came up with a lot of the server

21:35

component patterns over at for sell how

21:37

to think about Security in next and I

21:38

feel like I reference this blog post far

21:40

too often so it's important to bring it

21:43

up again the data access layer is a

21:45

really important concept that they push

21:46

here where we have a bunch of things in

21:49

a folder let's say data that are the

21:51

things we want to have be secured data

21:53

that can be accessed on the client so

21:55

here we have this off TSX function

21:56

should have just been TS but that's fine

21:58

exports con get current user which is

22:00

cached uses the off token cookie decodes

22:02

it and now we have this user info now we

22:05

have these functions can see username

22:07

viewer user this is public info so we

22:09

always return true we have can see phone

22:11

number viewer is admin or the team that

22:13

they're asking for is the viewers team

22:16

get profile dto now we want to make sure

22:19

that we don't pass back values they

22:21

shouldn't have access to so we do this

22:23

select we uh set user data to the first

22:27

row here we grab the current user and if

22:30

they can see this username then we call

22:33

user data. username and we return that

22:35

otherwise we return null and then same

22:36

with phone number we're using these

22:37

check functions that we wrote before we

22:39

return and since we have this all in a

22:41

specific folder that is indicated to our

22:43

teams as this is our API this is our

22:46

endpoints this is important and secure

22:48

and needs to be treated carefully in

22:50

code review we're much less likely to

22:52

have issues because we've established a

22:54

pattern of how data is exposed on our

22:56

server so as is the case with any

22:58

technology that is linking to your

23:00

database and is exposing data it's

23:02

important to make sure you have patterns

23:04

for how you want to do that for how you

23:05

want to expose that data and it might

23:08

not be intuitive that putting used

23:09

server at the top of the file means

23:11

every export is now exposed once you

23:13

know that you can treat these files

23:14

properly so it's important that whenever

23:16

you use a use server on top that you

23:17

make sure each of these functions is

23:19

checking to make sure the user should be

23:21

doing the thing that they're doing one

23:22

more quick thing I should have covered

23:23

this a while ago you can use server

23:25

actions with trpc so if you really want

23:27

to lock this down set up trpc use all

23:30

the things I showed earlier and now you

23:31

can just expose those with actions the

23:33

same way you could otherwise so we have

23:35

here create post protected action. input

23:38

yada yada mutation create post and now

23:41

we can import this the same way we would

23:43

any other server action and it just

23:45

works you even bind it in a form the

23:46

same way we were showing earlier so you

23:48

get all of the authentication and

23:50

standardization benefits of what exists

23:53

within something like trpc while also

23:55

getting the ergonomics the zero JS

23:57

necessary all the other benefits that we

23:59

get from server actions it's a really

24:01

nice hybrid solution so if you want to

24:02

have a good standard for the way you're

24:04

doing this on the server side there you

24:06

go the request that I've seen from Ree

24:08

and others is that these be Tre shook so

24:11

if this is exposed and this isn't

24:14

because this isn't actually being used

24:16

in the import ideally the ID for this

24:18

isn't included that would be nice I

24:22

would have concerns about how it's

24:23

actually architected and set up but I

24:25

think that should be fine the concern I

24:28

would have is that just not exposing the

24:30

ID doesn't solve the problem because

24:32

theoretically if we only expose user

24:35

visited in this route what's the point

24:36

of this even existing it almost

24:38

certainly is exposed somewhere so if we

24:40

imported that one I don't know in here

24:43

even if we don't actually use it we're

24:44

just importing it I I guess the reason

24:46

I'm hesitant to agree with the like tree

24:50

shaking bit is if you're exporting

24:51

something in one of these it's going to

24:53

get used eventually so if we were to

24:55

hide the ID of this function in the

24:57

pages that don't have access to it so to

25:00

speak it's going to leak eventually

25:01

we're effectively just delaying the

25:03

problem so the only actual solution is

25:06

that we are good with you server means

25:09

this thing needs to be authenticated and

25:12

the solution for that isn't a lter it

25:15

isn't a change to the way the compiler

25:17

works the solution is very specific it's

25:20

a code review thing and I find a lot of

25:22

the problems that I've been hearing

25:23

recently are assuming that anyone can

25:25

commit any code the solution here is we

25:27

have a data folder we put actions in

25:29

here and you make sure anytime someone

25:32

changes anything in the data folder that

25:34

you have a code owner rule on the repo

25:36

on GitHub making sure someone who

25:38

actually knows what the is going on

25:39

reviewed that that's the only way you

25:42

can use anything that exposes data to

25:44

users at scale make strict rules about

25:46

who has to review things and now

25:48

whenever I'm doing a code review even if

25:50

I can't see the US server on top for

25:51

some reason because the file's massive

25:53

at the very very least I see that this

25:55

file is in the data folder which means I

25:57

need to treat it more carefully it needs

25:59

to be more thoroughly reviewed and we

26:00

need to make sure anything in here is

26:02

exposing data in a way that is safe but

26:04

that is the solution here it is put

26:06

these things in a place where we know

26:08

those are endpoints and then in COD R

26:10

viiew make sure any endpoint that you're

26:12

exporting here is treated accordingly

26:13

otherwise you're doing the same thing I

26:15

showed earlier with Express where we're

26:16

just exporting functions within like the

26:19

post calls without checking you always

26:21

need to check things that a user can hit

26:23

and if you're exporting asnc functions

26:24

in a use server file please please

26:26

please make sure that users are being

26:28

authenticated one more simple solution

26:30

that has been touched on don't export it

26:32

as long as you're not exporting good let

26:33

me know what you think and until next

26:35

time peace nerds