You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
It's a bit annoying to need to worry about the security implications of exposing every server function when some functions should be server accessible only with no exposure for components rendered only on the server, same behaviour as server side code with RSCs not needing to be exposed to clients
Describe the solution you'd like
inside of a #[component] macro when experimental-islands enabled allow all ssr dependencies
#[cfg(features="ssr")]asyncfndb_example() -> Result<Vec<String>,ServerFnError>{use sqlx::Row;// sqlx is under ssr deps in cargo.tomllet url:&str = "example-pg-url";let pool = sqlx::postgres::PgPool::connect(&url).await?;let res = sqlx::query("SELECT `title` FROM `works`").fetch_all(&pool).await?;let titles:Vec<String> = res.get()return titles;}#[component]fnServerOnly() -> implIntoView{view!{
<div>
<Await future=|| db_example()let:data>
<For
each=move || { res.clone().into_iter().enumerate()}
key=|(index, data)| *index
// renders each item to a view
children=move |val| {let title = val.to_string();
view! { <p>{title}</p> }}
/>
</Await>
</div>
}}
Describe alternatives you've considered
Just always making a server action even if it's never used on the client and handling the security for all of them as if they were exposed endpoints rather than internal functions.
Additional context
Async RSC example as a reference over from the JS/TS world
asyncfunctiongetTitles(): Promise<string[]>{// drizzle ORM example as comparison to sqlxreturnawaitdb.select({title: worksTable.title}).from(worksTable);}asyncfunctionServerOnly(): Promise<JSX.Element>{return(<div>{titles.map((title)=>(<p>{title}</p>)}</div>);}
The text was updated successfully, but these errors were encountered:
This is not unreasonable. The way it works how it currently works is this: when compiling the frontend in islands node, the compiler actually compiles the whole application, then does dead code elimination to remove anything that's not used in the body of an island.
This is because #[component] does not mean "guaranteed to run on the server"; an island can use a component in its body and that will be included in the WASM binary. We don't have server components guaranteed only to be on the server; we have islands guaranteed to be on the client, and shared components.
A straightforward workaround is to cfg-flag whatever server-only code you want to call in a component, and #[cfg(not(feature= "ssr"))] let foo = unreachable!(); if you are sure you don't use it in an island.
Is your feature request related to a problem? Please describe.
It's a bit annoying to need to worry about the security implications of exposing every server function when some functions should be server accessible only with no exposure for components rendered only on the server, same behaviour as server side code with RSCs not needing to be exposed to clients
Describe the solution you'd like
inside of a
#[component]
macro whenexperimental-islands
enabled allow allssr
dependenciesDescribe alternatives you've considered
Just always making a server action even if it's never used on the client and handling the security for all of them as if they were exposed endpoints rather than internal functions.
Additional context
Async RSC example as a reference over from the JS/TS world
The text was updated successfully, but these errors were encountered: