This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Could this tool be improved to warn new devs about potential bad anti-patterns Astro SSR? #65
Comments
|
I'm not sure if I understand it correctly, it would be good if you can create a small example repo that can reproduce the problem that you describe. There's always a way to leak ENV with/without t3-env. For instance, if you try to access a server-only ENV on server then pass it to client-side, this will leak the env for sure. |
That's actually the case I tried to describe with the first bullet. I am wondering if there is a way to at least warn the user about this. I am a more advance user and know the patterns to avoid this, but as I am currently working on educational content for new-comers. I wanted to include t3-env, and it would be great if the tool can not experienced devs about bad pattern or potential leak either in SSR Html or serialised component props. Not sure if it is feasible, but maybe the tool could somehow parse and check if the env is accessed in a way, which could leak. |
alexanderniebuhr
changed the title
Well, the tool kinda did, but not quite. It throws an error if you try to use a server env on client, but of course that's not enough to prevent people from leaking the env. Maybe this is something that ESLint can help, but again there's too many ways/patterns to leak server env, which I think this is something people should really know and learn how to prevent it. But I agree with you that it would be good if the tool can prevent this from the first place. |
|
I dont see how though? ESLint maybe can detect this? |
In Astro, we should know which parts of the code are SSR. I would think the assumption that everything is SSR except specifically set an client directive like If someone uses env variables in these places, it should check if the user tries to access client or server vars and print a warning if server vars are used. The only question I have, how much parsing is necessary and does it impact perf. |
|
Tried searching for my server variables in the client bundles. Indeed I can see my build-time server-side variables leaked in the bundle, but all the runtime server-side variables are not bundled. I think it's important to point out the specific types of variables here, as:
So the problems to solve here are:
The former might need us to separate different |
I saw the built-time envs in my bundle too, after I used your setup. The runtime leak is definitely something the dev has to prevent, and not an technical issue. But I think if the tool could still warn about this, it would be great! |
|
Lesson learned: One must build the project, then go to the DevTools and search for their envs on the client, just to be sure. Maybe even inspect the server bundle in Luckily my project has not gone to the production yet. Before any linting plugin exists, just make sure to double check. You can't trust linting tools to go Also take a look at https://github.com/withastro/astro/blob/main/packages/astro/src/vite-plugin-env/index.ts. It is a bit magical what is has done on top of Vite. Oh and I have some documentation about all these in my issue here #60. |
|
Can you explain what variables are leaked and how? The framework shouldn't let server-side variables be defined on the client, no matter what file you're using it in. There is no way i can use What am I missing? |
It's actually a little bit of an anti-pattern: if you use Vite's Actually that has nothing to do with t3-env at all. Just a Vite thing. I wanted to validate that at build time via t3-env, but that isn't related to the above "leak" too much. The second "leakability" is rendering the server variables in the HTML, which can happen everywhere, not just That also isn't related to t3-env at all, and can happen anywhere there is server-side rendering involved. So I guess nothing can be done from t3-env except trying to provide a kind of SQL injection prevention but for env vars. |
As far as I can tell, if you setup your envs for Astro correctly nothing is leaked per definition. |
alexanderniebuhr
changed the title
|
Ok so the same would be true for RSC if you store a value from env to a variable and passet as prop. Same can be true if you return a value in an api endpoint. I dont think its the job of t3-env to present this. Maybe we can make a @t3-env/eslint-plugin that can analyze the code and see if a pattern like this is present and warn about it? Would be a pretty cool thing |
Correct!
Agree, that it would be pretty cool to have and it will be a lint warning instead of an actual thrown error. However not sure if an eslint plugin would be the best solution. Not everyone uses eslint (I use rome tools). I wonder if this linting step could be included in t3-env as an opt-in configuration option? So it can be chosen to be used and it will offer this to devs. |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
I think I found a way to leak variables to the client in Astro using Islands with
client:only...If I import the validation function inside a UI Component and then useclient:onlyisland, I will get errors and no render if I try to access an server variable, which is expected. But the validation function is in the js island chunk. So some can open dev tools, look at the js chunk and find the variables.Originally posted by @alexanderniebuhr in #60 (comment)
The text was updated successfully, but these errors were encountered: