Security Concern regarding the tutorial for Next.js Auth

In the tutorial we have:

TypeScript

// src/lib/server/appwrite.js
"use server";
import { Client, Account } from "node-appwrite";
import { cookies } from "next/headers";

export async function createSessionClient() {
  const client = new Client()
    .setEndpoint(process.env.NEXT_PUBLIC_APPWRITE_ENDPOINT)
    .setProject(process.env.NEXT_PUBLIC_APPWRITE_PROJECT);

  const session = cookies().get("my-custom-session");
  if (!session || !session.value) {
    throw new Error("No session");
  }

  client.setSession(session.value);

  return {
    get account() {
      return new Account(client);
    },
  };
}

export async function createAdminClient() {
  const client = new Client()
    .setEndpoint(process.env.NEXT_PUBLIC_APPWRITE_ENDPOINT)
    .setProject(process.env.NEXT_PUBLIC_APPWRITE_PROJECT)
    .setKey(process.env.NEXT_APPWRITE_KEY);

  return {
    get account() {
      return new Account(client);
    },
  };
}

This essentially makes the createAdminClient (and all other exported functions) into an endpoint anyone could use. Is this on purpose?

Source: https://appwrite.io/docs/tutorials/nextjs-ssr-auth/step-3

TL;DR

Security concern raised about the Next.js Auth tutorial code. By making `createAdminClient` and other functions public, it becomes accessible to anyone, potentially compromising security. Developers should update the code to restrict access to these functions or take necessary precautions. Be cautious of exposing sensitive information.

Reply to this thread by joining our Discord

Reply on Discord

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more

Recommended threads

Need support?

Join our Discord

Get premium support