Unused server actions have endpoints created for them about next.js HOT 7 OPEN

Hey! There're two issues with this, one is that the unused export wasn't properly tree-shaken where we will try to address.

This can lead to developers accidentally exposing endpoints that they didn't mean to and don't ever consume on the client.

Totally understand the concern but this is not exactly the case here. In the reproduction you copied the header of the request to the previous function (which has a cryptographically hashed id), and then switched to the new function in the code. This is only achievable on development because once you run it on production mode, that previous id won't be exposed anywhere if unused.

We're also adding hash salt rotation to production build, so rebuilds will be protected in this case and all ids will change. I think that will fully address the concern here.

from next.js.

This is only achievable on development because once you run it on production mode, that previous id won't be exposed anywhere if unused.

@shuding are you sure the id won't be exposed anywhere if unused in a production build? I'm able to see it in the JS that's sent to the client when doing npm run build && npm run start

repro steps:

1. npm run build
2. npm run start
3. Open dev tools to page-{}.js
4. Look in dev tools and see it's included, I've attached a screenshot here with the line highlighted where the id is exposed
   

from next.js.

@RhysSullivan That id you saw was for the exposed action (the one you are using inside <button onClick={...}>). The other one's id, which isn't used by the client, won't be seen in the client JS files.

from next.js.

@shuding I deployed the repo to Vercel for further verification https://next-unused-server-actions.vercel.app/

The JS payload is https://next-unused-server-actions.vercel.app/_next/static/chunks/app/page-eab1e6231173d707.js

Inside of that payload, there are 2 action ids listed

6fd2c8e1175bb0510320a3360aea26160ec5e722 - getSignedInUser which is called from the client

4c92e15aecb3e95ebc647ac038a361814d41cb48 - getAllUsersPrivateDoNotLeak which is never referenced on the client

Included in this screenshot to hopefully make it clearer, labels are as follows:

1 - Function which isn't meant to be exposed return body
2 - Only place actions are being called on the client, it's just calling getSignedInUser
3 - Action id of getAllUsersPrivateDoNotLeak
4 - Return value of calling that action, validating it's the same value as 1
5 - JS bundle on the client that has the action ids
6 - Action id of getSignedInUser
7 - Action id of getAllUsersPrivateDoNotLeak

from next.js.

Hey @shuding am I able to provide any more information to help debug / repro this?

from next.js.

Hey @shuding, do the repro steps I listed make sense for seeing the unused action id in the client side bundle? Let me know if I can provide more info, thanks

from next.js.

Yes @RhysSullivan thanks that’s very helpful, I’ll take a look!

But also keep in mind that Server Actions are public API endpoints even though they feel like internal function calls. So you’ll still need authentication layer for them.

from next.js.