Fetch that works on both client and server and requires Authorization?

Answered

Sun bear posted this in #help-forum

Sun bearOP

2024-10-25T00:10:47.519Z

Are there any patterns for writing fetch functions that work on both client and server when the request needs some sort of authorization header from a cookie?

On the client, this header just gets passed automatically by the browser so it doesn't need to be passed to "fetch", but if I want to make the same call on the server (with the same code) I need to pass the cookie value by reading from cookies(). I'd love to be able to conditionally call this when I know I'm on the server, but you can't even import the function in the client bundle without receiving errors. How can I write an "isomorphic" fetch function?

Answered by Tomistoma

getAccessToken in this context is a server action. You would get build errors if you are importing headers or cookies from a non server action.

On the file you're importing the headers and cookies, make sure that's a server action.

View full answer

26 Replies

Tomistoma

2024-10-25T03:09:35.392Z

What you can do is to create a fetcher in your lib then use that fetcher for your fetches. I used to do that with this code as an example:

import { getAccessToken } from "@/actions/auth";

const serverURL = process.env.NEXT_PUBLIC_BACKEND;
const clientURL = process.env.NEXT_PUBLIC_CLIENT_BACKEND;

export const fetcherServer = async (resource, options = {}) => {
  const token = await getAccessToken();
  const { method = "GET", headers = {}, ...restOptions } = options;

  const response = await fetch(`${serverURL}/${resource}`, {
    method,
    headers: {
      Authorization: `Bearer ${token}`,

      ...headers,
    },
    ...restOptions,
  });

  return response;
};

export const fetcherClient = async (resource, init) => {
  const token = await getAccessToken();

  const response = await fetch(`${clientURL}/${resource}`, {
    headers: {
      Authorization: `Bearer ${token}`,
    },
    ...init,
  });

  if (!response.ok) {
    const error = new Error("An error occurred while fetching the data.");
    error.info = await response.json();
    error.status = response.status;
    throw error;
  }

  return response.json();
};

You can build something similar like this though I am using next auth so I'm getting the access token from there rather than the cookie directly. I've also separated the url of client (browser calls) vs the server url because I have a specific reason to do that. If they're the same for your use case you can just have one fetcher.

Sun bearOP

2024-10-25T17:40:17.470Z

thanks @Tomistoma , my issue is that it seems like even importing the "headers" or "cookies" functions in the client bundle causes build errors. In your example that would be implicitly happening by importing the "getAccessToken" method, since it reads cookies under the hood

Tomistoma

2024-10-26T01:23:06.513Z

Answer

Sun bearOP

2024-10-28T14:23:47.132Z

ah I see, that might work. The only thing that feels wonky there is that I wouldn't want the client code to be geting the access token itself, because the auth details in the cookies are used in a middleware proxy to get access serverside. So I think if I did this then the server action would basically just return nothing when called clientside and it would just be making a dummy call to the backend or something

or i guess it would just skip the call. But I'd also want some way to block calls to the server action from anywhere but the server

Tomistoma

2024-10-29T02:37:12.694Z

Just create separate fetchers for both client and server. I did that for a different reason which is due to the Docker link not being recognized in the client since the browser calls it.

Sun bearOP

2024-10-29T16:49:28.575Z

yeah the problem is im trying to write a unified fetcher that I can use in react query so that if a query is encountered on the serverside render then it can start the fetch there, while still being able to refresh and invalidate the same queries on the client

the server action approach works for kind of "tricking it" into letting the build happen even though the function is only ever intended to be called on the server, but now I just need to figure out how to lock it down so that the server action's endpoint can never be called on the client

Sun bearOP

2024-10-29T18:28:13.392Z

i ended up solving this by just making an environment variable containing a "secret" string which my fetch client passes to the server action. Since its not a NEXT_PUBLIC env var its omitted from the client bundle so only the server knows it, then the action can check if the correct secret was passed in

Korat

2024-10-29T19:00:52.270Z

Have you checked trpc?

What I think you might need is a BFF approach, where you use the nextjs server as a gateway between your client and your external server

Sun bearOP

2024-10-29T20:26:30.176Z

what I have right now is basically a middleware reverse proxy between the client and my external API, so the clientside sends requests destined for that external API and they get proxied and auth'd through the nextjs middleware with auth0

it was previously a fully clientside app using nextjs pages router which i migrated to app router, so Im trying to layer on some serverside stuff in places where it makes sense. So I want to be able to render and prefetch data on the server using the same react query fetcher that the client uses so that the same component works when run in both places

basically theres way too much code here to do anything other than getting react query working on the server, can't really switch to a different data fetching system or anything

Korat

2024-10-29T20:39:02.682Z

Not enough time to experiment ?

Sun bearOP

2024-10-29T21:05:56.503Z

not really, its a production app with a team working on it so just trying to get some of the benefits of app router without a total rewrite

Korat

2024-10-29T21:10:40.466Z

creating your own middleware is the most basic solution in this case, but you gotta handle all stuff yourself, another option would be trpc as mentioned

Sun bearOP

2024-10-31T14:25:25.733Z

hmm actually the server action solution only works if the fetch is called outside of the "initial render" of the server components, otherwise you get an error

Korat

2024-10-31T19:45:55.938Z

What do you mean by that

Sun bearOP

2024-10-31T21:12:32.687Z

like in the example above

export const MyComponent = async () => {
  // this is a server action
  const accessToken = await getAccessToken()
  const data = await myFetcher(accessToken)

  return <></>
}

Rendering this will error because Next doesn't let you call a server action in the first render pass like this

Korat

2024-10-31T22:04:50.481Z

Why would you need to call a server action in a server component?

You already are in server, just do the fetch

Sun bearOP

2024-10-31T22:39:21.250Z

well the initial premise here is im trying to write a fetch system that works on both the server and the client so that it can be called in either place

to hit the same API

ultimately so that I can have a react query system that can both prefetch data on the server and then refetch it on the client later on using the same function:
https://tanstack.com/query/latest/docs/framework/react/guides/advanced-ssr#advanced-server-rendering

Korat

2024-11-01T08:00:17.883Z

Yeah, as I mentioned above, use trpc

Sun bearOP

2024-11-01T16:45:53.970Z

we are already using react query, just trying to augment it with prefetching

Korat

2024-11-01T18:58:50.581Z

trpc has a wrapper over react query