Server-side request in server-action when not form fine?
Unanswered
Expensiveee posted this in #help-forum
I have an onboarding flow, and once the user completes it, I need to mark them as "done" by calling a separate API. Specifically, I use a POST /internal/user/permissions endpoint to add the "onboarding_done" permission.
Since it's an internal route, I obviously don't want to expose it to the frontend it could allow users to manipulate their own permissions. I've already implemented HMAC request signing for added security, but I still intend to call /internal/* routes from the server only.
So my question is, given that the final step in onboarding is triggered by a client component (e.g., a button click), what's the best way to make that call to the internal API server-side, securely and without exposing the route?
I've went with actions but I don't feel like it's a good
Since it's an internal route, I obviously don't want to expose it to the frontend it could allow users to manipulate their own permissions. I've already implemented HMAC request signing for added security, but I still intend to call /internal/* routes from the server only.
So my question is, given that the final step in onboarding is triggered by a client component (e.g., a button click), what's the best way to make that call to the internal API server-side, securely and without exposing the route?
I've went with actions but I don't feel like it's a good