Next.js Discord

Discord Forum

Why not rely on middleware exclusively for authorization?

Answered
Spectacled bear posted this in #help-forum
Open in Discord
Avatar
Spectacled bearOP
Answered by B33fb0n3
server actions are made to mutate serverside data from the client.

The middleware will always be handled by the server, so no use for server actions. And also the middleware is not made to do complex stuff (I count mutating data as complex stuff). So using server actions here is the worst solution.

What are you trying to archive?

--- Edit
Server actions are public API endpoints as further discussed
View full answer

22 Replies

Avatar
The middleware is just a file, that sits between the requests. If you just create the file and don't do anything else with it, it won't protect your pages.

If you check the auth inside your middleware, but have a misconfigured matcher, then the middleware might also not be triggered.

For me that looks like the reason why they point out that comment there
Avatar
Spectacled bearOP
So, there is no way to call a server action directly, bypassing middlware?
Avatar
server actions are made to mutate serverside data from the client.

The middleware will always be handled by the server, so no use for server actions. And also the middleware is not made to do complex stuff (I count mutating data as complex stuff). So using server actions here is the worst solution.

What are you trying to archive?

--- Edit
Server actions are public API endpoints as further discussed
Answer
Avatar
Spectacled bearOP
I have a form, it submits data, this will create an entry in the database related to the current user. It uses a server action from a page protected by middleware to check the user is logged in.
Do I need to recheck this in the server action?
In every server action?
All my server actions are expecting a user to be logged in.
All of them are run from pages protected by middlware, this is not enough?
Avatar
you should check this inside your server action, yeah. I like split the action (user does stuff) from the requesting (user receives something)
Avatar
Spectacled bearOP
I would like to learn how an attack would exploit this bug.
How could I call a server action if I cannot view the page that calls it.
What do I search to find an example of this.
Avatar
server actions are also only API endpoints. And endpoints are publically available and can be called from anywhere. Even if you don't have access to a specific page. So always make sure to check the auth before an action will be made
Avatar
Spectacled bearOP
So how do I trigger that server action end point? Practically?
Should I make a new post?
Avatar
there was a discussion in #discussions some time ago. There are also some ways online how to exploit an explicit endpoint.

Also check the security tab from server actions: https://nextjs.org/docs/app/building-your-application/data-fetching/server-actions-and-mutations#security

As you can see attached: they are publically available
Image
Avatar
Spectacled bearOP
I've seen the Next.js documentation.
So, yeah, just wanted to confirm whether middleware were run on these server action endpoints.
Thanks for clarifying they are not.
It would be nice to see how this could be exploited in practice.
I'll check the chat history, thanks.
Avatar
happy to help