Security problem in Nextjs
Answered
Australian Freshwater Crocodile posted this in #help-forum
Australian Freshwater CrocodileOP
I have a file : /app/api/api.ts
In this file I have all the functions for communicating with the backend (backend is external)
The api.ts file looks like this :
I just noticed that I can see this whole file in sources on the browser, my mistake that I had to check this out before starting the whole project but now the project is almost done.
Can I secure this with just adding a "use server" on top of this file? I mean making it inaccessible on browser
Also I import these functions on client side pages almost every single part of my site
Like
"use client"
import { getStoreMoney } from "@/app/api/api"
What should I do?
In this file I have all the functions for communicating with the backend (backend is external)
The api.ts file looks like this :
const API_BASE_URL = process.env.NEXT_PUBLIC_API_BASE_URL
import { signOut, getSession } from 'next-auth/react'
import { OrderData, SellerRequestStatus } from '@/types/types';
async function refreshAndRetry(token: string, url: string, options: RequestInit) {
const session = await getSession();
if (session?.accessToken && session.accessToken !== token) {
const response = await fetch(url, {
...options,
headers: {
...options.headers,
'Authorization': `Bearer ${session.accessToken}`,
},
});
return response;
}
signOut();
throw new Error('Session expired');
}
export async function updateUserAddress(
...
) {
let response = await fetch(`${API_BASE_URL}/userProfile/update_address/${addressId}`, {
method: "PUT",
headers: {
Authorization: `Bearer ${token}`,
"Content-Type": "application/json",
},
body: JSON.stringify(addressData),
})
if (response.status === 401) {
response = await refreshAndRetry(token, `${API_BASE_URL}/userProfile/update_address/${addressId}`, {
method: "PUT",
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify(addressData),
})
}
...
}
export async function loginUser(phone: string) {
const response = await fetch(`${API_BASE_URL}/auth/login`, {
...I just noticed that I can see this whole file in sources on the browser, my mistake that I had to check this out before starting the whole project but now the project is almost done.
Can I secure this with just adding a "use server" on top of this file? I mean making it inaccessible on browser
Also I import these functions on client side pages almost every single part of my site
Like
"use client"
import { getStoreMoney } from "@/app/api/api"
What should I do?
Answered by B33fb0n3
then the server does the calls to your external backend, yea. Keep in mind, that your external backend is still accessable even without your server if the client know the endpoint
18 Replies
@Australian Freshwater Crocodile I have a file : /app/api/api.ts
In this file I have all the functions for communicating with the backend (backend is external)
The api.ts file looks like this :
tsx
const API_BASE_URL = process.env.NEXT_PUBLIC_API_BASE_URL
import { signOut, getSession } from 'next-auth/react'
import { OrderData, SellerRequestStatus } from '@/types/types';
async function refreshAndRetry(token: string, url: string, options: RequestInit) {
const session = await getSession();
if (session?.accessToken && session.accessToken !== token) {
const response = await fetch(url, {
...options,
headers: {
...options.headers,
'Authorization': `Bearer ${session.accessToken}`,
},
});
return response;
}
signOut();
throw new Error('Session expired');
}
export async function updateUserAddress(
...
) {
let response = await fetch(`${API_BASE_URL}/userProfile/update_address/${addressId}`, {
method: "PUT",
headers: {
Authorization: `Bearer ${token}`,
"Content-Type": "application/json",
},
body: JSON.stringify(addressData),
})
if (response.status === 401) {
response = await refreshAndRetry(token, `${API_BASE_URL}/userProfile/update_address/${addressId}`, {
method: "PUT",
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify(addressData),
})
}
...
}
export async function loginUser(phone: string) {
const response = await fetch(`${API_BASE_URL}/auth/login`, {
...
I just noticed that I can see this whole file in sources on the browser, my mistake that I had to check this out before starting the whole project but now the project is almost done.
Can I secure this with just adding a "use server" on top of this file? I mean making it inaccessible on browser
Also I import these functions on client side pages almost every single part of my site
Like
"use client"
import { getStoreMoney } from "@/app/api/api"
What should I do?
even if it would be possible to hide the code for the client (what would happen when you build your app iirc) then the client can still see the API calls, that the client do. If you don't want that, then yea, add the
'use server' directive on top. Then your server will be called everytime, that then calls the external backend@B33fb0n3 even if it would be possible to hide the code for the client (what would happen when you build your app iirc) then the client can still see the API calls, that the client do. If you don't want that, then yea, add the `'use server'` directive on top. Then your server will be called everytime, that then calls the external backend
Australian Freshwater CrocodileOP
Am I safe if I add "use server" on top?
@Australian Freshwater Crocodile Am I safe if I add "use server" on top?
then the server does the calls to your external backend, yea. Keep in mind, that your external backend is still accessable even without your server if the client know the endpoint
Answer
Australian Freshwater CrocodileOP
Ok then
I didn't code the backend (someone else is maintaining the backend) and he is using Django
So I think its safe from my side
Thanks
@Australian Freshwater Crocodile I didn't code the backend (someone else is maintaining the backend) and he is using Django
yea, then he should make sure his backend is only accessable by the expected user/server
happy to help
@B33fb0n3 happy to help
Australian Freshwater CrocodileOP
Hey man again
I just added "use server" to top of that file
There is literally no difference in seeing it
How does it know not to show types.ts, utils.ts, auth.ts inside lib
and not show auth/ inside api?
and not show auth/ inside api?
@Australian Freshwater Crocodile How does it know not to show types.ts, utils.ts, auth.ts inside lib
and not show auth/ inside api?
Build your app, deploy it somewhere (for example on vercel) and take a look at it then
@B33fb0n3 Build your app, deploy it somewhere (for example on vercel) and take a look at it then
Australian Freshwater CrocodileOP
ok sure thanks
@Australian Freshwater Crocodile ok sure thanks
did u try it ??
@ekimcem did u try it ??
Australian Freshwater CrocodileOP
yeah its correct