Secure your server actions

Nuance: action ID is a unique hash. If you don't render it (like in the example when the user is not an admin), it would be hard to trigger your endpoint But in any case, server actions always create endpoints, and endpoints should be protected

damn... i probably missed that one in some project though I try to keep the actions inside a ./actions/delete-stuff.ts with 'use server' works right?

"use server" only ensures that the code in marked file never gets into the client-side js bundle You still need to protect your server actions as if they are separate callable endpoints (because they are)

I (who separates front- and backend) dont understand this

...or next-safe-action does this trick for you 😉

Too many people thought server actions were a magic black box that just made things work, without realizing it's just magic POST calls!

I love Next overall, but it's a way better experience to just use Route Handlers. Especially if you plugin a framework like Hono or Elysia for good conventions and plugins out of the box.

well its same like secure your api end point lol

I wonder how many security issues modern Next has created due to server actions lol.

Also this