next.js developers discovering basic web application design

Actual title should be: The problem with frontend devs doing backend

You would have the same problem with an API route handler if you don't validate whos performing this kind of operation

I think this is obvious to any serious web developer. Server actions are just syntactic sugar to normal http api. You have to take the same precautions

This is not a "security breach", this is what they teach you on the first day of Coding 101. Do not trust the client. Just because you receive a request to delete a user doesn't mean that you should blindly accept it with no questions

Using a server-signed JWT in an http-only cookie and getting the requesting user id from there defeats this attack. Roll your own auth kids, at least once, to learn how it works...

To any experienced developer, this might seem obvious and not a security breach. However, for those who are new to the topic and may not yet have fully grasped this concept, this video can be incredibly helpful. It’s frustrating to see the community reacting in such a negative way instead of being supportive. We should encourage learning and sharing knowledge, not discourage those who are trying to improve.

The Next JS documentation couldn’t be more clear. “You should treat Server Actions as you would public-facing API endpoints, and ensure that the user is authorized to perform the action”.

OMG! That's very good to know! Thank you for sharing

sooo, theres no problem with RSC... just a problem with people not knowing how to protect their apis

It’s not really a security breach, If people read the docs patiently they would easily write an auth guard wrapper on all of their server actions before exposing them. Another easier way to protect our server actions, is to add the auth guard on the middleware and it will automatically work on all of the server actions too.

This is web development security 101... YOU DON'T OWN THE CLIENT!!! I can't believe people are making this mistake at Netflix. I get that RSC and RSA have issues, but this one is a skill issue.

ALWAYS validate on the server, and you're safe. Completely independent of language or framework, always validate on the server. Done and done. Client side validation is JUST to improve the user experience and prevent just getting errors from the back-end.

V interesting video mate, cheers! Would have been great if you demonstrated the solution to this problem too. Follow up vid? 🤔

Turns out someone forgot their auth check 😐

Who would have thought you might want to make sure you’re authorized to delete users. Glad the community is on it.

Honestly, this is infuriating and reflects a fundamental lack of understanding of basic security principles. Deleting a user by just using a user ID? Is this what happens when you rely on a million libraries in your project? It's maddening to see how irresponsible the JavaScript ecosystem has become. They seem to rely blindly on libraries without grasping basic security concepts. It’s a shame, really. I'm so grateful I started programming with C-at least there I learned the importance of getting things right from the ground up.

Took me 3 seconds to find the problem, and I've been coding for a year and a half. No idea how people don't understand that whenever you're exposing ANY function to the client, no matter if it is a server action or not, the parameters of that function are interchangable by the client. That's why whenever you're doing any action that requires authentication or proof of ownership you do that on the server side and never on the client side.

The real security breach is allowing frontend devs to do backend

Maybe server actions were marketed as this magic wand that eliminates the api, when in reality its just an abstraction for apis. Same rules apply!

This is like the most basic thing you need to handle always when doing some backend stuff lol. It's not server action issue. This is how it works with any API endpoint, which accepts data. You need to validate the data, check permissions and then allow or not allow that action based on these checks. This is knowledge, that even junior backend developers should have, when they learn about backend basics and security. If this happened at Netflix to someone, I'm just laughing xd because the person should be fired on spot, if he make mistakes like this lol.

This seems like the perfect example of why you'd want separation of concerns.

You forgot to mention that other functions that are in the server actions are also exported and expose unintended functions to the users. The whole thing is definitely a vulnerability since a major point of using a framework is to avoid footguns and bad practices

This was great. Thank you for sharing.

I also realised I was making this mistake when I was inspecting my server actions in the network tab and realising anybody could call them. I had initially started doing it the right way when I was using regular API Route handlers, but when I switched to server actions I decided to remove the security measures for extra performance 😅, good thing it never shipped to production.

Wait... so... the guy didn't confirm that the parameter being passed from the client to the server was actually the user that was logged in? Isn't that web dev 101? You do a check server side AND client side that the user is who they say they are. All modern auth services offer both a client and server check for an logged in user. This seems like a non issue. Are we really at the point where devs don't know what their doing, and need extra guardrails in the framework? I sure hope not.

I agree with this take that just a simple auth is what generally causes this issue, this also applies to any web frameworks that follow the basic REST api concepts.

I figured this out months back, I use server actions as a wrapper for calling the actual functions that does server side logic which is wrapped in a validation middleware(just a fancy wrapper function)

Very surprising to see something as simple as this happening at Netflix. Even worse is how many people are blaming it on NextJS as if it's a server action problem when its really just a general API design problem lol. I know that's not the intention, but those people tweeting about "server actions have security risk" if very misleading. I'm glad that you make sure to clarify in the video that it is a general server API problem that's not specific to NextJS.

While most people in the comment section think this is trivial security good practices, Server Actions really blur the line of what is executed where. The best way to stay aware is to keep server actions in separate files, in a separate folder, and be aware nothing coming there can be trusted. When you start using Server Actions within other files, this is when it gets confused. I think they fucked up allowing to write 'use server' anywhere and run on the server. This is fucking crazy.

Really bad , but ok , i was doing this all the time , i have a function that give me the user session , i verify if user is logged in and so ok mutate data , if not return error with Unauthorized , errors will be catched by a closure that check the type of error and return a pretty error to the client , but now i will work more on authorization checks , thank you Josh

This not just react specific problem. Many nextjs/svelt projects on the wild are misconfigured. Quick fix would be just put everything behind proxy and redirect all post request to an authorization server.

the fact that a netflix dev had to find this out is insanity no shit its insecure if you dont sanitize and validate stuff

Bro, come on, that's no problem with server actions. That's an issue with the people using it (skill issue). Of course, you can't trust the input. How do you think will Next.js/React magically do the auth step? If you think it's cause of the bad design of server actions than just explain how next.js/react can fix it.

I find a lot of comments in this video assumes that people know what they know. That everyone who watches these videos are senior full-stack developers. I have built several apps. and NextJS is my go-to framework. I might've fallen into this fault, because it is not a common-sense for my experience and skillsets. This is just a reminder for everyone that being nice is a free; and something we should make a bit more common-sensical.

Server action is a type-safety and seamless alternative to API. Absolutely you still need to validate the argument/payload like people do in the ordinary API!

I am not a fan of RSCs or Next, but I don't see how this is particularly ties to those. Maybe the RSC pattern makes it easy to overlook these mistakes but at the end this is Authentication and Authorization basics 101. In this example replace Next action id with your custom endpoint like /delete-user and its the same problem.

Ppl tend to forget that a RSA is a wrapper to an API route,you dont own the client

But this is solved by using a middleware, if we authorize users in the middleware then there is no need of validating on server actions

Guess we need a way to setup middleware that would validate token/cookie/user before running the actual server action.

Thanks for sharing

so you should do the authentication inside of the server action right?

first thing i thought, wouldn't you check on the backend if the user performing the request matched the user, and why in the world would you pass an user id when you already have access to who is logged in on the server

Why focus on Next.js specifically? The concerns you raised apply to any backend application, not just Next.js. Server actions in Next.js are part of the backend, after all. For instance, if you create an API request using Ruby on Rails, Django, Go, or any other backend framework without proper authorization checks (as demonstrated in your example), you'll encounter the same security vulnerability-unauthorized deletion of users. This advice is more relevant for beginner-to-mid-level frontend developers rather than full-stack or backend developers using Next.js with server actions. The core takeaway is straightforward: 'Always validate on the server.' That's a fundamental rule that hasn't changed.

I don't think rsc is at fault here. anyone with good understanding of creating production ready api knows, every data received from the client has to go through some authorization and cleaning to prevent a lot things including creating a vulnerability. pro tip, use trpc/hono till you are really sure your rsc is not a security risk.

The problem isn't with just "Server actions". The problem can occur in API or LITERALLY ANYWHERE that takes input from a user. It's a "bad design" problem, not a "server action" problem. As a rule of thumb, user input must always be validated when used in a such crucial scenario.

This request header is not showing in newly created next apps. I guess they must have fixed this. However, it is always better to have some kind of authorization whenever dealing with sensitive APIs so that without any authorization the data cannot be manipulated

Tha's why you should use libraries like ZSA to have this always present.

Authorizing (!= authenticating) any server operation is basic and mandatory stuff. This is disturbing that this basic matter makes it to a blog post and a video from Josh.

Thats what I predicted when you let frontend developers write backend code on accident 😂 Wait until they find out about SQL injection. History repeats itself. This is so basic, it’s the first chapter of every backend tutorial.

This doesn't seem like an issue with server actions like the twitter drama implied, it's one of the fundamentals of web servers to treat any `POST` input from the user pessimistically rather than optimistically. Don't use new programming patterns unless you fully understand them, especially in production environments.

Frontend developers discovering Backend. But beyond the joke. I think it could be better if Next.js documentation advice in their documentation for server actions that they should be treated as any other Backend API, which needs Authentication and Authorization mechanisms.

Yup, your mindset for server actions should be that of API routes. Everything for there on is just basic API security.

I don't know how to make good form with server actions. I would love to see video about that!

Who would have thought that you need to authenticate the user before performing a critical action.

Server actions is such a weird API - endless options to fail catastrophically, only to have such minor DX improvements. Everything around RSC is a pit of failure tbh, its crazy how much resources have been wasted for it.

This is a prime example of how so many self proclaimed programmers are really just frameworkers. This is basic entry level stuff.

I fail to understand how not implementing "basics" is a security breach

In auth js by passing auth cookies we can validate user server side?🤔idk

I don't look at this as a security breach tbh, First of all, this is a protected route that shouldn't be accessed by guests. Next, this request should go through a middleware, to check authorization. And last, request is accepted/rejected. Some devs are abusing server actions, server actions aren't a standalone backend. So, is it a breach ? :)

So I just need to verify the JWT cookie?

ok so we can use bind. right and that's good?

Great video, I would have shown the solution though

how can someone forgot authentication middleware?

That's what "Learn NextJs in 6 Days" gets ya.

So can't this be solved by authenticating every request in middleware? I think the middleware.ts file applies to actions as well

How would you authorize this request? I understand validation and sanitization using zod for example but how do i do this if i am using eg next-auth? How do i check who made the request and authorize it?

How can this happen at netflix? I wouldn't say this is a problem with server actions, they are just an abstraction. It could never be a good idea to delete something without performing any validation such as token validation or permission validation

I always do proper authorization!!

Hi josh I'm trying to join your discord server but this invite link is invalid or has expired is showing

Soon enough people are gonna pick up Row Level Security as a soln for this problem

Funny how this is the reason people complained about RSC in the first place

Ummm, so people don’t know they should validate stuff now?

sorry, is not a security problem, is the same as you get params in url :id for getting the current user, you have to get the user id from the auth token middleware in the use server action, that just a bad design system

I mean.. I normally get userID in the server action itself without exposing it to the client and no need to pass it as an argument, and then set up API Rules or RLS on my BaaS... thats supposed to be safe right..?

skill issues... I do these checks even in API, why the heck I would not in server actions...

So the lesson is, ensure origin is userId

Can you make an authorization tutorial using nextAuth?

I mean this can be a problem with API's as well

So you are saying the front dev that did a "3 week full stack BootCamp" doesn't know anything about security? Who would have known? In a serious note. this a security hazard in any API design. be graphQL, REST, etc. you always need to check who is calling what. I actually like python better for this because you can use the decorator pattern. you can create a function decorator and that checks the request before letting it pass to the route. in that decorator you can check user role. if the request even has a user, auth, etc

This is why I will always prefer using proper API endpoints and querying them with something like react-query to perform mutations instead of this hacky server actions approach. Heck I can even just write a middleware that just intercepts and authorizes all requests to my critical endpoints, making me need to write it only once instead of remembering to repeat it on every endpoint/action

Yeah this one's pretty obvious but I can see how server actions make it easier to make this mistake

Disagree: This is a next js issue. Josh, along with all these other meta frameworks, which make it so easy to write code without understanding what runs where. Meta frameworks lower the barrier for less experienced developers to write code that "works" but is easy to hack. You actually say yourself that if you were writing it in a traditional manner, you would be thinking of protecting the client, protecting the server

Water is wet and unsecured endpoints are not secure. I'm not sure why any developer should be "discovering" this, it's like web development 101. The fact that people like the authors of the tweets you showed at the start are making these stupid oversights too shows a larger systemic problem, or just that they are primarily frontend devs who never think about security.

Sooooo, several years and modern next.js developers are comes to php with MVC pattern)

I still don't understand why people use server actions and server components as an actual API instead of making it as some middle layer between frontend and backend to handle some complex CLIENT!-side logic. Why do they code backend-related stuff on frontend? This pseudo-fullstack thing has gone too far. Frontend must be frontend, backend must be backend.

so that's a problem every api has..........................................................

So the problem is people can't do their job right server-side.

Does anyone have a good guide on how to build good authorization in an api/server action to avoid this?

Aren't server actions just api end points? You can't just give an api end point a user Id and delete the user. bro this is an implementation issue. off course i can open my db wideopen to the public and call it a security breach. all i can see is a skill issue. pass the auth token in the header, verify that it hasn't been compromised and hasn't expired, bla bla, then allow the user to proceed with their actions.

ZSA procedures ftw

What if someone user formData?

Rookie mistake tbh 🌚

you mean basic web security?

The issue was caused by skill issue.

This is Weaponized incompetence

this is a bait, you should always validate your incoming request body. its not specific to nextjs

The problem here is wrong programming . This is not a nextjs fault

average dev won't read the docs, that's why average devs shouldn't be pushing code to prod

🤯🤯