Server Actions: Do you need to validate the session when calling Server Actions?
1) When using server actions, there's no need to use csrf tokens anymore right since no external party can call your server action. So it saves this whole step and complication right?
2) When using server actions, if I am storing my sessions in a database, do I still need to check if the user has an active session on every server action mutation? In the past you would need to since anyone can POST to your route. But now with server actions.... only you can call a function on your server right? Therefore, there's no need to validate any database changing function calls in the server action right?
Or is that wrong, because someone can manipulate the javascript on the client side to still call the server action?
If it still requires validation, I guess it would be a good idea to create a middleware-like server action that validates the user or throws before any mutation right?
1 Reply
I think I've come to realize... you still need to validate the session when using server actions that mutate data since determined hackers can still manipulate the frontend javascript.
However, in terms of csrf-tokens, is that still needed? And if so, can someone explain how it should be implemented?
Does it make sense to call a server action to get a csrf-token and maybe save it in a database and then when calling a mutation-like server action, return that same csrf token? I'm unclear on the higher-level rationale behind doing so, given that I'm not sure if a hacker can do the same cross-site scripting attacks anymore with server actions