Server Action data id leak - Security issue
Unanswered
Asiatic Lion posted this in #help-forum
Asiatic LionOP
In my next app, In array of card when clicked a form is opened. The form which takes user input and process the data on server action. The problem is in network tab the card id is leaked that is passed to server action. How to prevent this. Auth is not needed for my app. How do I protect the data.
submitForm is server action.
submitForm is server action.
const { id } = data;
const handleSubmit= async (formData) => {
const result = await submitForm(formData, id);
if (result.success) {
toast.success(" Successfull !!!");
} else {
console.log("Error!");
toast.error(result.message || result.error);
}
}
<form action={handleSubmit}>
...
</fomr>24 Replies
American Chinchilla
Anything on client will always be exposed
Im assuming card id on client code
And that you attach it to the form data right?
Asiatic LionOP
@American Chinchilla Yes 😓
Any solutions so that it doesn't get exposed ? I just need to pass the form data and the id to the submitForm function
American Chinchilla
@Asiatic Lion not that i know of
I dont think its possible
In any app too, user ids are always exposed on the client
But then you auth and other authentication to validate the user
Asiatic LionOP
Then how do I pass it from server component. I can pass the formData automatically with form calling the action function. But how do I pass the ID ?
American Chinchilla
Is the id have any sensitivive information
Like this card id
What does it represent
Asiatic LionOP
Yaa it has some sensitive information. It represents some premium courses. I can use form in server component as well. Jst want to know how do I pass id ?
American Chinchilla
Maybe someone else can help who has better knowledge of this domain.
You cant pass client stuff to server without exposure
Even if the comp is server with the form
Anything on the browser is exposed
You would have to change the way your validating the user with this premium course id
We need more details to as to how your implementing the validation…
Pygmy Nuthatch
Encrypt the id using a secret on the server combined with date.getHours() this way the client doesn’t know the id but the server function can access a env variable with the secret and the time in hours by decripting the id passed by the client
@Asiatic Lion dm if nescessary
@Pygmy Nuthatch Encrypt the id using a secret on the server combined with date.getHours() this way the client doesn’t know the id but the server function can access a env variable with the secret and the time in hours by decripting the id passed by the client
Asiatic LionOP
@Pygmy Nuthatch Yaa did a similar thing. Thankyou for your suggestion. I want to know how to stop anyone from posting from the api route and next-action id available from network tab?
@American Chinchilla <@988744889141432330> not that i know of
Yeah no matter what if it’s transmitted to the client you have to assume it’s compromised or non secretive or information there’s no real way around it.