-
Notifications
You must be signed in to change notification settings - Fork 276
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Component-level data fetching functions included in client bundle #1615
Comments
@coreyasmith Thanks for the detailed information. We have a ticket in our internal backlog and will work on this issue. |
Subscribing... This would be beneficial for my project. |
I want to add more information on how beneficial this would be for XM Cloud projects like mine. Preventing secrets and other sensitive information from being included in the client-side bundle when used for component-level data fetching would allow us to create components that depend on authenticated API requests. This would allow us to create SXA components that request information from other systems that content editors can place on ANY page. Currently, this is not possible without exposing API credentials, which is a huge security issue. |
111% ... Merkle, Inc. checking in here... This seems like a major flaw to a majorly cool feature. We have components which use component-level data fetching with getStaticProps making graphql calls to Sitecore. This works fine since the Sitecore API key is not a secret. But we have a current client that has their own API, which does use a secret, making this component level data fetching impossible. Instead, I had to move the data fetching into our pages route handler and pass the data down to components via react context, which is not ideal, but works. |
I will also add, @coreyasmith has a Possible Fix above... It was almost there, but I couldn't get it working, for whatever reason. I did get something working though, which does reliably strip out all the extra imported code and secrets from the client bundle. @coreyasmith appreciate your research around this. I will note, when running this locally and not built, some of the code still shows as in the client bundle. Once the code is built, there is no remnants of any secret or code imported / used in component-level getStaticProps anywhere in the client bundle. Screenshots attached at the end. This function gets attached to the webpack configuration in next.config.js:
.env.local or Vercel environment variable: In your component, you will add the getStaticProps with server check:
|
Describe the Bug
getStaticProps
orgetServerSideProps
are included in the client-side bundle when they are defined at the component level. Any imports they depend on are included in the client-side bundle as well, even if the imports are not used by any client-side code. Consider the following:In this example, the entire
getStaticProps
function will be included in the client-side bundle, leaking secrets to the browser. The./database
and./server-data.json
imports will be included in the client bundle, inflating the client bundle with code that will not be used.This is a bug because if the same code were declared in a
getStaticProps
function defined at the page level:getStaticProps
function would be excluded from the client-side bundle;getStaticProps
depends on would be tree-shaken and excluded from the client-side bundle.The Next.js documentation for getStaticProps and getServerSideProps both state that code in these functions will be eliminated from the client-side bundle when defined at the page level.
Next.js developers will expect the same behavior from the JSS component-level data fetching implementation. This reasonable assumption will at best lead to bloated client-side bundles, and at worst lead to leaked secrets. Vercel's next-code-elimination tool even suggests that the
getStaticProps
function in the example above will be eliminated from the client-side bundle; however, that is not actually the case.To Reproduce
Implement the component described above. Search within the client-side bundle at http://localhost:3000/_next/static/chunks/pages/%5B%5B...path%5D%5D.js for
getStaticProps
orsecret-connection-string
; observe that they are included in the client-side bundle. Search for theimport
s used bygetStaticProps
and note that they are included in the client-side bundle as well.Implement the same code in
src\pages\[[...path]].tsx
'sgetStaticProps
method. Search within the client bundle http://localhost:3000/_next/static/chunks/pages/%5B%5B...path%5D%5D.js forgetStaticProps
orsecret-connection-string
. Observe that they are excluded from the client-side bundle. Search for theimport
s used bygetStaticProps
and note that they are excluded from the client-side bundle.Expected Behavior
Component-level data fetching functions
getServerSideProps
andgetStaticProps
behave the same as when they are defined at the page level:Possible Fix
An environment variable,
IS_SERVER
, could be defined with webpack in the Next config that evaluates to'true'
on the server and'false'
on the client:Component-level
getStaticProps
calls and its imports could then be nested into aprocess.env.IS_SERVER === 'true'
check and webpack will exclude them from the client-side bundle:However this is more of a workaround than a fix. A true fix would handle this automatically and not require developer intervention.
Perhaps updating the Component Builder or Module Factory to not import
getServerSideProps
orgetStaticProps
whenIS_SERVER
evaluates totrue
would handle this.Provide environment information
The text was updated successfully, but these errors were encountered: