Zynth
In the tutorial we have:
TypeScript
// src/lib/server/appwrite.js
"use server";
import { Client, Account } from "node-appwrite";
import { cookies } from "next/headers";
export async function createSessionClient() {
const client = new Client()
.setEndpoint(process.env.NEXT_PUBLIC_APPWRITE_ENDPOINT)
.setProject(process.env.NEXT_PUBLIC_APPWRITE_PROJECT);
const session = cookies().get("my-custom-session");
if (!session || !session.value) {
throw new Error("No session");
}
client.setSession(session.value);
return {
get account() {
return new Account(client);
},
};
}
export async function createAdminClient() {
const client = new Client()
.setEndpoint(process.env.NEXT_PUBLIC_APPWRITE_ENDPOINT)
.setProject(process.env.NEXT_PUBLIC_APPWRITE_PROJECT)
.setKey(process.env.NEXT_APPWRITE_KEY);
return {
get account() {
return new Account(client);
},
};
}
This essentially makes the createAdminClient (and all other exported functions) into an endpoint anyone could use. Is this on purpose?
Source: https://appwrite.io/docs/tutorials/nextjs-ssr-auth/step-3
TL;DR
Security concern raised about the Next.js Auth tutorial code. By making `createAdminClient` and other functions public, it becomes accessible to anyone, potentially compromising security. Developers should update the code to restrict access to these functions or take necessary precautions. Be cautious of exposing sensitive information. Recommended threads
- Different appwrite IDs are getting expos...
File_URL_FORMAT= https://cloud.appwrite.io/v1/storage/buckets/[BUCKET_ID]/files/[FILE_ID]/preview?project=[PROJECT_ID] I'm trying to access files in my web app...
- Invalid document structure: missing requ...
I just pick up my code that's working a week ago, and now I got this error: ``` code: 400, type: 'document_invalid_structure', response: { message: 'Inv...
- custom domain with CloudFlare
Hi all, it seems that CloudFlare has blocked cross-domain CNAME link which made my app hostname which is in CloudFlare, unable to create a CNAME pointing to clo...