Will mounting an action keep parameters from being seen by the world?
When mounting an action in Filament PHP, are the arguments exposed to the browser (and potentially visible to a user inspecting the data) or are they strictly processed on the backend, ensuring they are not publicly visible?
Source : https://github.com/filamentphp/filament/blob/e5778290382f0ba8e37657cf541884d2a2f2785b/packages/actions/src/Concerns/InteractsWithActions.php#L159
This is the method in question:
Example of a call that I'd like to keep the data private on:
GitHub
filament/packages/actions/src/Concerns/InteractsWithActions.php at ...
A collection of beautiful full-stack components for Laravel. The perfect starting point for your next app. Using Livewire, Alpine.js and Tailwind CSS. - filamentphp/filament
10 Replies
Do you need the data on the front end? If you do then there’s not much you can do about it.
I don't need the data on the front end. I just need it to process some stuff on the backend.
Ok. So then just don’t include the data in the arguments. Instead make the arguments something like an id that could be used in the ->action() callback to get the data again if you need it for further processing.
But, to answer your question. Anything included in the livewire properties will be exposed on the front end. But there are ways to prevent that. Check the livewire docs.
Laravel
Properties | Laravel
A full-stack framework for Laravel that takes the pain out of building dynamic UIs.
Is
$this->mountedActionsArguments
the best way to get that data or is there a better way?It will work, just don’t pass arguments / data you don’t want exposed.
So if I wanted something secret (e.g., Clark's secret identity), the ideal way is to add the
#[Locked]
attribute?
Oh, wait. That seems like it prevents it from being manipulated, but is still exposed.Yes, but actions themselves aren’t livewire components. So they will only expose what you provide to them. But an action can have a view that is a livewire component. So, it really depends on exactly what your are trying to accomplish and how you are accomplishing it.
Thank you so much for this conversation. It's really helpful.
As a follow up, would encrypting data be considered a bad practice? For example, if I want to pass Superman's secret identity as a public variable, but encrypt it when I call the action and then subsequently decrypt it when I need it?
I posed this question to Chat GPT out of curiosity, and it responded as follows:
2. Use Laravel's Encryption for Sensitive Data
If you must send some sensitive data from the client to the server, you can encrypt it using Laravel's encryption facilities (
Crypt
facade). Here's how you can do that:
- Before passing the argument, encrypt it on the server:
- In your action handler, decrypt the data:
I think you’re missing the point. If you don’t actually need the data on the frontend then don’t send it. It’s as simple as that. If you do actually need it then the authenticated and authorized user has access to view it so it doesn’t matter. I think you need to take a step back and evaluate the goal of what you are trying to accomplish.