Source from repo

Vercel React Best Practices

Apply 62 React and Next.js performance optimization rules from Vercel Engineering

vercel-labsGitHub vercel-labsOfficialSource repo Original GitHub link Publisher page

Files

Skill

n/a

Size

225.0 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

rules/server-auth-actions.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown97 linesFree

rules/server-auth-actions.md

1---
2title: Authenticate Server Actions Like API Routes
3impact: CRITICAL
4impactDescription: prevents unauthorized access to server mutations
5tags: server, server-actions, authentication, security, authorization
6---
7 
8## Authenticate Server Actions Like API Routes
9 
10**Impact: CRITICAL (prevents unauthorized access to server mutations)**
11 
12Server Actions (functions with `"use server"`) are exposed as public endpoints, just like API routes. Always verify authentication and authorization **inside** each Server Action—do not rely solely on middleware, layout guards, or page-level checks, as Server Actions can be invoked directly.
13 
14Next.js documentation explicitly states: "Treat Server Actions with the same security considerations as public-facing API endpoints, and verify if the user is allowed to perform a mutation."
15 
16**Incorrect (no authentication check):**
17 
18```typescript
19'use server'
20 
21export async function deleteUser(userId: string) {
22  // Anyone can call this! No auth check
23  await db.user.delete({ where: { id: userId } })
24  return { success: true }
25}
26```
27 
28**Correct (authentication inside the action):**
29 
30```typescript
31'use server'
32 
33import { verifySession } from '@/lib/auth'
34import { unauthorized } from '@/lib/errors'
35 
36export async function deleteUser(userId: string) {
37  // Always check auth inside the action
38  const session = await verifySession()
39  
40  if (!session) {
41    throw unauthorized('Must be logged in')
42  }
43  
44  // Check authorization too
45  if (session.user.role !== 'admin' && session.user.id !== userId) {
46    throw unauthorized('Cannot delete other users')
47  }
48  
49  await db.user.delete({ where: { id: userId } })
50  return { success: true }
51}
52```
53 
54**With input validation:**
55 
56```typescript
57'use server'
58 
59import { verifySession } from '@/lib/auth'
60import { z } from 'zod'
61 
62const updateProfileSchema = z.object({
63  userId: z.string().uuid(),
64  name: z.string().min(1).max(100),
65  email: z.string().email()
66})
67 
68export async function updateProfile(data: unknown) {
69  // Validate input first
70  const validated = updateProfileSchema.parse(data)
71  
72  // Then authenticate
73  const session = await verifySession()
74  if (!session) {
75    throw new Error('Unauthorized')
76  }
77  
78  // Then authorize
79  if (session.user.id !== validated.userId) {
80    throw new Error('Can only update own profile')
81  }
82  
83  // Finally perform the mutation
84  await db.user.update({
85    where: { id: validated.userId },
86    data: {
87      name: validated.name,
88      email: validated.email
89    }
90  })
91  
92  return { success: true }
93}
94```
95 
96Reference: [https://nextjs.org/docs/app/guides/authentication](https://nextjs.org/docs/app/guides/authentication)
97

Preparing the source view

Vercel React Best Practices

rules/server-auth-actions.md