Next.js Discord

Discord Forum

Question about unstable_cache

Unanswered
Satin Angora posted this in #help-forum
Open in Discord
Satin AngoraOP
is this the right way to do this or do i still have to pass the sanitize as cache key to handle some edge cases that I can't think of right now?
export const getCachedProduct = (
    slug: string,
    sanitize: boolean
) => {
    return unstable_cache(
        async () => {
            const product = await prisma.product.findUnique({
                where: { slug },
                select: {
                    id: true,
                    name: true,
                    description: true,
                    price: true,
                    imageUrl: true,
                    secretInfo: true,
                },
            });

            const result = product ? structuredClone(product) : null;

            if (result && sanitize) {
                result.secretInfo = null;
            }

            return result;
        },
        [slug],
        {
            tags: [`product-${slug}`],
        }
    )();
};

15 Replies

Satin AngoraOP
yeah it's all done on the server
i use sanitize whn im gonna pass the product to the client side eventually
i cloned it because for some reason when i asked claude about this he kept screaming at me telling me im gonna mutate the origina nextjs cache which seems a bit weird
is it just hallucinating ?
B33fb0n3
yea, you only mutate the cache, with whatever you return inside the function. It doesnt matter if its a cloned object or just the normal object
Satin AngoraOP
so the cloning is pointless here
and there's also no need to pass sanitize as cache key
@Satin Angora so the cloning is pointless here and there's also no need to pass sanitize as cache key
B33fb0n3
cloning seems for me pointless here, yea. The cache is shared with other users. IMO I would never cache secret data that is shared with others as they might leak
Satin AngoraOP
yeah but how's it going to leak? that's what the sanitize arg is for
whenever im planning to pass that data to the client side then i set sanitize to true
is that still insecure somehow?
B33fb0n3
imagine you somewhen dont set the sanitize value. For example because you want to work serverside with the fetched product or whatever (cache MISS + SET). And then you request the same method to fetch a product and display it (for example on the products page) for the user (cache HIT). Now the server leaked data even if you set sanitize to false
@Satin Angora yeah but how's it going to leak? that's what the sanitize arg is for whenever im planning to pass that data to the client side then i set sanitize to true
ididntdoshi
leakage is burden of the developer. it isn't going to leak if you dont pass whole object to client
id like to think cached data as something thats core to data fetching, closer to the model than the presentation. that way, you can still build DTO layers/permission layer that filters out what data can be seen after getting cached data.
unless you can be sure that theres no other method that requires result.secretInfo to carry out that method's operation. because you will likely need to call getCachedProduct again and its obivous that it will likely need to be cached since no data has been changed prior to the mutation
on the note of not passing secretKeys to client, you might want to check this out so that you wont accidentally pass secretKeys to react renders while still being able to use it in the back-end (so no need omitting)
B33fb0n3
what alfon said and this is a very good guide on how to set things up with the stuff alfon and me said: https://nextjs.org/blog/security-nextjs-server-components-actions
B33fb0n3
@Satin Angorasolved?