Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

verify action id before parsing body #58977

Merged
merged 5 commits into from
Nov 29, 2023
Merged

verify action id before parsing body #58977

merged 5 commits into from
Nov 29, 2023

Conversation

ztanner
Copy link
Member

@ztanner ztanner commented Nov 27, 2023
edited

What?

When handling a server action, in the non-progressive enhanced case, React will attempt to parse the request body before verifying if a valid server action is received. This results in an "Error: Connection Closed" error being thrown, rather than ignoring the action and failing more gracefully

Why?

To support progressive enhancement with form actions, the actionId value is added as a hidden input in the form, so the action ID from the header shouldn't be verified until determining that we've reached the non-PE case. (React ref). However, in #49187, support was added for a URL encoded form (which is not currently used, as indicated on the PR).

Despite it not being used for server actions, it's currently possible to trigger this codepath, ie by calling redirect in an action handler with a 307/308 status code with some data in the URL. This would result in a 500 error.

How?

React should not attempt to parse the URL encoded form data until after we've verified the server action header for the non-PE case.

x-ref NEXT-1733
Slack context

This was referenced Nov 27, 2023
Merged
Merged
@ztanner
Copy link
Member Author

ztanner commented Nov 27, 2023
edited

Current dependencies on/for this PR:

This stack of pull requests is managed by Graphite.

@ztanner ztanner mentioned this pull request Nov 27, 2023
Merged
@ijjk
Copy link
Member

ijjk commented Nov 27, 2023
edited

Failing test suites

Commit: f9f9bc6

pnpm test-dev test/e2e/app-dir/app-compilation/index.test.ts

  • app dir > HMR > should not cause error when removing loading.js
Expand output

● app dir › HMR › should not cause error when removing loading.js

TIMED OUT: hello from new page

hello from slow page

undefined

  626 |
  627 |   if (hardError) {
> 628 |     throw new Error('TIMED OUT: ' + regex + '\n\n' + content + '\n\n' + lastErr)
      |           ^
  629 |   }
  630 |   return false
  631 | }

  at check (lib/next-test-utils.ts:628:11)
  at Object.<anonymous> (e2e/app-dir/app-compilation/index.test.ts:44:11)

Read more about building and testing Next.js in contributing.md.

@ijjk
Copy link
Member

ijjk commented Nov 27, 2023
edited

Stats from current PR

Default Build (Increase detected ⚠️)
General Overall increase ⚠️
vercel/next.js canary vercel/next.js 11-27-verify_action_id_before_parsing_body Change
buildDuration 10.6s 10.5s N/A
buildDurationCached 6s 5.9s N/A
nodeModulesSize 199 MB 199 MB ⚠️ +37.4 kB
nextStartRea..uration (ms) 423ms 428ms N/A
Client Bundles (main, webpack)
vercel/next.js canary vercel/next.js 11-27-verify_action_id_before_parsing_body Change
199-HASH.js gzip 30.7 kB 30.7 kB N/A
3f784ff6-HASH.js gzip 53.3 kB 53.3 kB
494.HASH.js gzip 180 B 181 B N/A
framework-HASH.js gzip 45.2 kB 45.2 kB
main-app-HASH.js gzip 241 B 239 B N/A
main-HASH.js gzip 31.7 kB 31.7 kB N/A
webpack-HASH.js gzip 1.7 kB 1.7 kB
Overall change 100 kB 100 kB
Legacy Client Bundles (polyfills)
vercel/next.js canary vercel/next.js 11-27-verify_action_id_before_parsing_body Change
polyfills-HASH.js gzip 31 kB 31 kB
Overall change 31 kB 31 kB
Client Pages
vercel/next.js canary vercel/next.js 11-27-verify_action_id_before_parsing_body Change
_app-HASH.js gzip 194 B 195 B N/A
_error-HASH.js gzip 182 B 181 B N/A
amp-HASH.js gzip 501 B 503 B N/A
css-HASH.js gzip 322 B 323 B N/A
dynamic-HASH.js gzip 2.5 kB 2.5 kB
edge-ssr-HASH.js gzip 253 B 255 B N/A
head-HASH.js gzip 348 B 347 B N/A
hooks-HASH.js gzip 369 B 368 B N/A
image-HASH.js gzip 4.27 kB 4.27 kB N/A
index-HASH.js gzip 256 B 256 B
link-HASH.js gzip 2.61 kB 2.6 kB N/A
routerDirect..HASH.js gzip 311 B 311 B
script-HASH.js gzip 384 B 383 B N/A
withRouter-HASH.js gzip 307 B 308 B N/A
1afbb74e6ecf..834.css gzip 106 B 106 B
Overall change 3.17 kB 3.17 kB
Client Build Manifests
vercel/next.js canary vercel/next.js 11-27-verify_action_id_before_parsing_body Change
_buildManifest.js gzip 484 B 483 B N/A
Overall change 0 B 0 B
Rendered Page Sizes
vercel/next.js canary vercel/next.js 11-27-verify_action_id_before_parsing_body Change
index.html gzip 528 B 526 B N/A
link.html gzip 539 B 539 B
withRouter.html gzip 524 B 521 B N/A
Overall change 539 B 539 B
Edge SSR bundle Size Overall increase ⚠️
vercel/next.js canary vercel/next.js 11-27-verify_action_id_before_parsing_body Change
edge-ssr.js gzip 92.6 kB 92.6 kB N/A
page.js gzip 145 kB 146 kB ⚠️ +134 B
Overall change 145 kB 146 kB ⚠️ +134 B
Middleware size
vercel/next.js canary vercel/next.js 11-27-verify_action_id_before_parsing_body Change
middleware-b..fest.js gzip 625 B 623 B N/A
middleware-r..fest.js gzip 150 B 151 B N/A
middleware.js gzip 35.7 kB 35.7 kB N/A
edge-runtime..pack.js gzip 1.92 kB 1.92 kB
Overall change 1.92 kB 1.92 kB
Next Runtimes
vercel/next.js canary vercel/next.js 11-27-verify_action_id_before_parsing_body Change
app-page-exp...dev.js gzip 168 kB 168 kB N/A
app-page-exp..prod.js gzip 93.6 kB 93.7 kB N/A
app-page-tur..prod.js gzip 94.4 kB 94.5 kB N/A
app-page-tur..prod.js gzip 88.9 kB 89 kB N/A
app-page.run...dev.js gzip 138 kB 138 kB N/A
app-page.run..prod.js gzip 88.3 kB 88.4 kB N/A
app-route-ex...dev.js gzip 24.2 kB 24.2 kB
app-route-ex..prod.js gzip 16.8 kB 16.8 kB
app-route-tu..prod.js gzip 16.9 kB 16.9 kB
app-route-tu..prod.js gzip 16.4 kB 16.4 kB
app-route.ru...dev.js gzip 23.6 kB 23.6 kB
app-route.ru..prod.js gzip 16.4 kB 16.4 kB
pages-api-tu..prod.js gzip 9.37 kB 9.37 kB
pages-api.ru...dev.js gzip 9.64 kB 9.64 kB
pages-api.ru..prod.js gzip 9.37 kB 9.37 kB
pages-turbo...prod.js gzip 21.9 kB 21.9 kB
pages.runtim...dev.js gzip 22.6 kB 22.6 kB
pages.runtim..prod.js gzip 21.9 kB 21.9 kB
server.runti..prod.js gzip 49.3 kB 49.3 kB
Overall change 258 kB 258 kB
Diff details
Diff for page.js

Diff too large to display

Diff for app-page-exp..ntime.dev.js 
failed to diff
Diff for app-page-exp..time.prod.js

Diff too large to display

Diff for app-page-tur..time.prod.js

Diff too large to display

Diff for app-page-tur..time.prod.js

Diff too large to display

Diff for app-page.runtime.dev.js

Diff too large to display

Diff for app-page.runtime.prod.js

Diff too large to display

Commit: 7f59dff

@ztanner ztanner force-pushed the 11-27-verify_action_id_before_parsing_body branch 2 times, most recently from 3dc7e70 to 0a15a4c Compare November 27, 2023 18:31
@ztanner ztanner force-pushed the 11-24-update_status_codes_for_redirect_and_permanentRedirect_in_action_handlers branch from 47128a8 to 83b5398 Compare November 27, 2023 18:45
@ztanner ztanner force-pushed the 11-27-verify_action_id_before_parsing_body branch 4 times, most recently from 00ce649 to 158fb83 Compare November 27, 2023 20:19
@ztanner ztanner force-pushed the 11-24-update_status_codes_for_redirect_and_permanentRedirect_in_action_handlers branch from d97b665 to d2d21c3 Compare November 27, 2023 22:56
@ztanner ztanner marked this pull request as ready for review November 27, 2023 23:00
@ztanner ztanner force-pushed the 11-24-update_status_codes_for_redirect_and_permanentRedirect_in_action_handlers branch 2 times, most recently from 1f711ea to 7ef3827 Compare November 28, 2023 15:14
@ztanner ztanner requested review from a team as code owners November 28, 2023 15:14
@ztanner ztanner requested review from ismaelrumzan and removed request for a team November 28, 2023 15:14
@ztanner ztanner requested a review from molebox November 28, 2023 15:14
@ztanner ztanner mentioned this pull request Nov 28, 2023
Merged
@ztanner ztanner force-pushed the 11-24-update_status_codes_for_redirect_and_permanentRedirect_in_action_handlers branch from 7ef3827 to 1d2ab51 Compare November 28, 2023 15:29
shuding
shuding previously approved these changes Nov 28, 2023
View reviewed changes
@ztanner ztanner force-pushed the 11-27-verify_action_id_before_parsing_body branch from 158fb83 to cd6e616 Compare November 28, 2023 15:45
Base automatically changed from 11-24-update_status_codes_for_redirect_and_permanentRedirect_in_action_handlers to canary November 29, 2023 08:35
@kodiakhq kodiakhq bot dismissed shuding’s stale review November 29, 2023 08:35

The base branch was changed.

@ztanner ztanner force-pushed the 11-27-verify_action_id_before_parsing_body branch from cd6e616 to b2112f9 Compare November 29, 2023 14:55
@ztanner ztanner enabled auto-merge (squash) November 29, 2023 19:50
@ztanner ztanner merged commit 8395059 into canary Nov 29, 2023
63 of 68 checks passed
@ztanner ztanner deleted the 11-27-verify_action_id_before_parsing_body branch November 29, 2023 19:55
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 14, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@shuding shuding shuding approved these changes

@timneutkens timneutkens Awaiting requested review from timneutkens timneutkens is a code owner

@ijjk ijjk Awaiting requested review from ijjk ijjk is a code owner

@huozhi huozhi Awaiting requested review from huozhi huozhi is a code owner

@feedthejim feedthejim Awaiting requested review from feedthejim feedthejim is a code owner

@wyattjoh wyattjoh Awaiting requested review from wyattjoh wyattjoh is a code owner

@ismaelrumzan ismaelrumzan Awaiting requested review from ismaelrumzan ismaelrumzan was automatically assigned from vercel/devex

@molebox molebox Awaiting requested review from molebox molebox was automatically assigned from vercel/devex

Assignees
No one assigned
Labels
created-by: Next.js team PRs by the Next.js team locked type: next
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ztanner @ijjk @shuding