F
Filament2mo ago
BuddhaNature

Will mounting an action keep parameters from being seen by the world?

When mounting an action in Filament PHP, are the arguments exposed to the browser (and potentially visible to a user inspecting the data) or are they strictly processed on the backend, ensuring they are not publicly visible? Source : https://github.com/filamentphp/filament/blob/e5778290382f0ba8e37657cf541884d2a2f2785b/packages/actions/src/Concerns/InteractsWithActions.php#L159 This is the method in question: 
public function mountAction(string $name, array $arguments = []): mixed
public function mountAction(string $name, array $arguments = []): mixed
Example of a call that I'd like to keep the data private on: 
$this->mountAction('mySuperDuperAction', [
    'first_name' => 'Clark',
    'last_name' => 'Kent',
    'secret_identity' => 'Superman',
    'social_security_number' => 'krypton-123-4567',
    'secret_crush' => 'Lex Luthor',
]);
$this->mountAction('mySuperDuperAction', [
    'first_name' => 'Clark',
    'last_name' => 'Kent',
    'secret_identity' => 'Superman',
    'social_security_number' => 'krypton-123-4567',
    'secret_crush' => 'Lex Luthor',
]);
GitHub
filament/packages/actions/src/Concerns/InteractsWithActions.php at ...
A collection of beautiful full-stack components for Laravel. The perfect starting point for your next app. Using Livewire, Alpine.js and Tailwind CSS. - filamentphp/filament
10 Replies
awcodes
awcodes2mo ago
Do you need the data on the front end? If you do then there’s not much you can do about it.
BuddhaNature
BuddhaNature2mo ago
I don't need the data on the front end. I just need it to process some stuff on the backend.
awcodes
awcodes2mo ago
Ok. So then just don’t include the data in the arguments. Instead make the arguments something like an id that could be used in the ->action() callback to get the data again if you need it for further processing. But, to answer your question. Anything included in the livewire properties will be exposed on the front end. But there are ways to prevent that. Check the livewire docs.
awcodes
awcodes2mo ago
https://livewire.laravel.com/docs/properties#security-concerns
Laravel
Properties | Laravel
A full-stack framework for Laravel that takes the pain out of building dynamic UIs.
BuddhaNature
BuddhaNature2mo ago
Is $this->mountedActionsArguments the best way to get that data or is there a better way?
awcodes
awcodes2mo ago
It will work, just don’t pass arguments / data you don’t want exposed.
BuddhaNature
BuddhaNature2mo ago
So if I wanted something secret (e.g., Clark's secret identity), the ideal way is to add the #[Locked] attribute? Oh, wait. That seems like it prevents it from being manipulated, but is still exposed.
awcodes
awcodes2mo ago
Yes, but actions themselves aren’t livewire components. So they will only expose what you provide to them. But an action can have a view that is a livewire component. So, it really depends on exactly what your are trying to accomplish and how you are accomplishing it.
BuddhaNature
BuddhaNature2mo ago
Thank you so much for this conversation. It's really helpful. As a follow up, would encrypting data be considered a bad practice? For example, if I want to pass Superman's secret identity as a public variable, but encrypt it when I call the action and then subsequently decrypt it when I need it? 
Action::make($this->name)
    // Other stuff
    ->action(function ()  {
        $this->secretIdentity = Crypt::encryptString('Clark Kent');
        $this->mountAction('kryptonAction');
    })
Action::make($this->name)
    // Other stuff
    ->action(function ()  {
        $this->secretIdentity = Crypt::encryptString('Clark Kent');
        $this->mountAction('kryptonAction');
    })
I posed this question to Chat GPT out of curiosity, and it responded as follows: 2. Use Laravel's Encryption for Sensitive Data If you must send some sensitive data from the client to the server, you can encrypt it using Laravel's encryption facilities (Crypt facade). Here's how you can do that: - Before passing the argument, encrypt it on the server: 
use Illuminate\Support\Facades\Crypt;

$encryptedData = Crypt::encrypt($sensitiveData);
$this->mountAction('someAction', ['encryptedData' => $encryptedData]);
use Illuminate\Support\Facades\Crypt;

$encryptedData = Crypt::encrypt($sensitiveData);
$this->mountAction('someAction', ['encryptedData' => $encryptedData]);
- In your action handler, decrypt the data: 
public function someAction($encryptedData)
{
$sensitiveData = Crypt::decrypt($encryptedData);
}
public function someAction($encryptedData)
{
$sensitiveData = Crypt::decrypt($encryptedData);
}
awcodes
awcodes2mo ago
I think you’re missing the point. If you don’t actually need the data on the frontend then don’t send it. It’s as simple as that. If you do actually need it then the authenticated and authorized user has access to view it so it doesn’t matter. I think you need to take a step back and evaluate the goal of what you are trying to accomplish.
Want results from more Discord servers?
Add your server