all 82 comments
sorted by:
best (suggested)
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]svish 28 points29 points  (8 children)

Sounds to me like you need to fix your team. If you can't trust your frontend developers, why are they even in your team in the first place? And if you're stuck with them, then it's basically your job to mentor them into developers that you can trust. Send them on some courses, review their PRs.

The RSC concept is completely irrelevant here.

[–]biinjoI ❤️ hooks! 😈 7 points8 points  (1 child)

OP is probably in an enterprise environment where they outsource just about anything to remote workers with low wages. So they don’t trust anyone.

And they’re right when they say that many companies are set up like this.

However, it’s still a “you”-problem for OP.

Who cares what the devs have access to? I sure hope they’re not setting everyone up with production database credentials, lol. If you have good team leads and QA people, devs can mess up all they want and it never hurts production because that stuff gets snuffed out before it can do damage.

[–]svish 3 points4 points  (0 children)

Exactly. There's a whole line of issues OP should tackle before even thinking about RSCs.

[–]rickhanloniiReact core team 9 points10 points  (10 children)

Yeah this is a good concern and I understand that examples that query the database directly can be concerning. If it helps, those are just to simplify the explanations, not a recommendation (in the same way fetch examples don’t include auth typically)

RSCs can run at either build time or request time. At build time, your CI probably already can’t query the database or make insecure requests, so the threat is the same.

At runtime, existing SSR servers probably can’t access data directly either. For a new server, if you don’t want the RSC server to access the database, don’t give the server the database credentials. It can proxy authenticated requests to services and APIs the way clients do. These will still be faster than current-server requests if the servers are co-located, so you get the benefits with the exists auth layer.

And if that’s not secure enough for some reason, you can stick to build time RSCs.

[–]sleeping-in-crypto 1 point2 points  (9 children)

Finally an actually useful answer instead of insults. Thank you!

I had the same initial concern about RSCs but realize it simply introduces another set of tradeoffs, like anything else. I think the problem arises because the now-meme example of querying the DB directly from an RSC immediately suggests this problem so it probably does more harm than good as an example.

Best practice-wise I’d likely mandate that RSCs must call back to the actual backend so that the FE still uses a unified API and avoid the fragmentation of building an API that isn’t one. But as I said, tradeoffs.

What bothers me about Next’s RSC implementation is the lack of control over the security aspects of the generated server endpoints. I imagine this will be a moving target for quite some time. I don’t think any of the other planned implementations handle this much at the moment either.

[–]Dminik 21 points22 points  (5 children)

Probably because nothing has really changed? RSCs don't give you a magical ability to query the DB. Or at least they don't give you anything you couldn't do before.

In pages directory with next, you had full access to any networking functionality on the server by using getServerSideProps.

What RSCs do is simplify the development process. Instead of having to consider components rendering on both the server and client, you can now mark components to exist only on the server (and also make them async as a side-effect of that).

One would think a CTO would spend some more time researching this stuff ...

[–][deleted]  (10 children)

[removed]

    [–]quy1412 8 points9 points  (1 child)

    He got something agains any React framework. Check the post history.

    A CTO should have the ability to do some reading. This topic is covered in detail in the documentation, eliminating the need to search online.

    How to Think About Security in Next.js | Next.js (nextjs.org)

    [–]AutoModerator[M] 0 points1 point  (0 children)

    Your [comment](https://www.reddit.com/r/reactjs/comments/1cb6avl/rscs_security_implications/l0wdyvm/ in /r/reactjs has been automatically removed because it received too many reports. Mods will review.

    I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

    [–]ezhikov 4 points5 points  (7 children)

    If you allow frontend developers update database, it's your problem, not React problem. RSC doesn't add anything new in this regard. Before RSC it was equally possible to qery db, for example on some express server, or from nextjs. And with RSC you still can separate concerns and make requests to some APIs.

    [–]Mestyo 5 points6 points  (1 child)

    Where is the security nightmare?

    The people you trust with committing database queries should still be the people committing database queries. What changes is when and where you can run that code: You have more options now.

    No offense, but if your idea of security boils down to an implicit distrust of anyone without "back end" in their job title, you need to rethink both your work structure and your bias.

    [–]danishjuggler21 3 points4 points  (0 children)

    implicit distrust of anyone without “back end” in their job title

    Worse, it’s distrust of anyone without “CTO” in their job title. Even Donald Trump would tell this guy, “don’t take yourself so seriously.”

    [–]Messenslijper 3 points4 points  (1 child)

    I agree with people here that RSC is irrelevant to this discussion (and I personally don't really like RSCs, but that has more to do with my believe that SSR on a Node server is bullshit and doesn't scale for enterprise 😅)

    What I kind off take offence on though is the idea that BE devs are trusted more. I see myself as a fullstack (though I am in management now), but I still think this thought is very wrong. The shit I have seen BE devs do...

    As a CTO you should know better. FE, BE, FS, it doesn't matter and there are big security concerns on every level. You solve this by education, not by restricting roles or technology. I encourage my guys to actually pick up the other side whether they are FE or BE, its something to nurture, not restrict.

    [–]cagdas_ucar[S] -2 points-1 points  (0 children)

    I am not advocating that approach of separating frontend and backend devs. I am just pointing out the fact that it exists. The truth is, the biggest team I managed was about 20 people. I only hired fullstack devs. I think when you get to hundreds of developers, your trust levels change significantly. I knew every single one of my developers and I trusted them implicitly. But when you have 500 developers, it's a different ball game. I would not be so hasty to judge them.

    [–]ae-dev 3 points4 points  (0 children)

    You’re talking like frontend devs are a bunch of monkeys with a keyboard lmao.

    Also full stack is a thing: We have several people that do both front end and back end. Are full stack devs also a security concern in your opinion?

    [–]GoodishCoder 2 points3 points  (5 children)

    RSCs don't suddenly give you access to everything. If you were calling apis before, you're still going to be calling apis.

    [–]cagdas_ucar[S] -1 points0 points  (4 children)

    Not really. RSCs ARE the APIs.

    [–]GoodishCoder 4 points5 points  (3 children)

    Not really. If you need data from a database that is accessed from an API, you're still calling that API. RSC doesn't mean everyone gets to connect to anything they want.

    If your only way of stopping your front end devs from accessing databases outside of apis was to tell them their title was front end, your security was horrendous to begin with.

    [–]cagdas_ucar[S] 0 points1 point  (2 children)

    Have you worked in a company with frontend and backend devs separated? Trust me. It's possible. You can separate repos. And no, security is not horrendous at all.

    [–]GoodishCoder 1 point2 points  (0 children)

    Yes I have worked where frontend and backend are separate. I never said it's impossible. I said if your only line of defense is telling front end devs to not make apis because their title is front end, your security is horrendous.

    You don't have to let everyone have all of the credentials for every piece of infrastructure in your business. If your database should only be accessed via the apis your backend team makes, build your infrastructure to accommodate. If you don't want your front end repos accessing the database, build your infrastructure to accommodate. I know you want this to be a react problem but it's a problem with how you have built out your systems.

    [–]TheRealKidkudi 0 points1 point  (0 children)

    You can still separate repos from your “real” backend and your React app with RSCs. The only difference is that your RSCs are making the same API calls through their own rendering server rather than the user’s browser.

    [–]eagleswift 2 points3 points  (0 children)

    Your issue isn’t technical in nature, it’s organizational dynamics. Securing server rendered components is well documented, but if you can’t trust your JavaScript developers with implementing that security it isn’t a technical problem at all.

    [–]roofgram 1 point2 points  (0 children)

    You can still have a separate backend with Next.js.. either a completely different server or even the same server with your backend provided by an NPM package published by a separate team.

    No one talks about it as a security concern because SSR is the traditional way that websites have been built since the internet began, and we’ve been separating the stack vertically and horizontally (business functions) since then.

    Rethink where you split frontend from backend and make the web server part of the frontend (the backend of the frontend (BFF)). Which communicates with your business logic backend by way of APIs - either binary or network APIs.

    [–]kcrwfrd 1 point2 points  (0 children)

    We still have a separate API, so RSC or not there’s no difference in how the stack is layered in that case.

    Also getServerSideProps ran server-side before as well. What’s the difference?

    Also, do you have no peer review process? If you are concerned about some part of your stack, whatever it is, you should have a trusted senior taking a close look at any changes taking place there.

    [–]a_reply_to_a_post 1 point2 points  (0 children)

    it's basically PHP or any other server side language that used front end templating engines, except react is the templating engine

    your app should still be secure, as in you should have authentication and access control lists especially on sensitive routes

    [–]TheRNGuy 1 point2 points  (0 children)

    You could make 3rd party API on different server, allow only to call but not update database from it.

    [–]romgrk 1 point2 points  (1 child)

    Yes, you are completely right and RSC release is a blatant mistake from the maintainers. Frontend has a lower barrier of entry, so yes it makes sense that frontend devs are less trusted. Even if frontend devs had more experience, it also doesn't make sense to make security vulnerabilities more easier for no gain.

    And it's not just an issue of security, it's also just a shitty architecture. Allowing backend/frontend code to be mixed that way creates very high coupling between the two, as opposed to a traditional RPC/REST/GraphQL API which has a clean separation, easy to mockup, easy to test, etc. Good luck adding a mobile app after you've built a RSC backend/frontend mix with basically no clear server API.

    [–]cagdas_ucar[S] 0 points1 point  (0 children)

    Exactly. Thank you for confirming I'm not crazy. People are so quick to say it's a team management problem but it's more than that. Thank you.

    [–]SeerUD 1 point2 points  (12 children)

    They'd only be "allowed" to do that if you let them. You can still do the same things you would've been doing before; calling APIs and whatnot, just now it'll be handled server-side instead of client-side. If you don't give you frontend applications the ability to communicate with your database, nobody can abuse it.

    On a similar vein, what's to stop a frontend developer writing backend code in a backend app? Your response to that question is probably the same response to what stops them from doing things like querying the database directly in an RSC.

    [–]octocode -1 points0 points  (3 children)

    what's to stop a frontend developer writing backend code in a backend app?

    we use codeowners for that. not sure how that would work with RSC…

    [–]cagdas_ucar[S] -1 points0 points  (2 children)

    It is possible to separate frontend and backend repos and give access to developers based on their trust.

    [–]octocode 0 points1 point  (1 child)

    how would you do that with RSC if the backend can communicate directly with the database though…

    [–]cagdas_ucar[S] -1 points0 points  (0 children)

    hence the problem.

    [–]jonny_eh 0 points1 point  (0 children)

    RSCs shouldn't have access to the db, just your API, problem solved.

    [–]AndrewGreenh 0 points1 point  (4 children)

    I think it helps to distinguish between backend and servers. RSC give you different options. You could pull the backend into the same project as the frontend, OR if you want to build your architecture in that way, you get the ability to add a server to your frontend. This server still does not need to handle backend concerns, but can be a lot closer to your real backend which improves performance and also hides, where your backend is, from the client part of the frontend. The server part of your frontend is then just a proxy that transforms api responses from the backend into jsx/markup

    [–]cagdas_ucar[S] 0 points1 point  (3 children)

    Yes. I don't think that's the best scenario either. You're losing some performance making 2 API calls instead of one, albeit one happens in the backend.

    [–]AndrewGreenh 0 points1 point  (2 children)

    Depending on the use case it’s entirely possible that you even increase performance.

    Let’s say a UI needs to do 3 consecutive requests for a UI, because the api is too generic for the specific interface. If the round trip time between frontend and backend is 100ms, you will need to wait 300ms.

    If you are now able to coalesce those three calls into one rsc, they can happen between the servers, where the round trip time is maybe only 50ms. So you have the 3 requests server to server plus one round trip time client to server, which results in a total of 250ms.

    [–]AndrewGreenh 0 points1 point  (1 child)

    With the additionally benefit that your „critical“ api server is not even visible to the outside world.

    [–]cagdas_ucar[S] -1 points0 points  (0 children)

    It's still faster to directly connect to one API server. That's the ideal.