ChrisThornham
RPC "use server" and CSRF Attacks
I’m looking to better understand the CSRF risks associated with SolidStart, specifically regarding the use of RPC calls with the
"use server" function.
In Next.js, when I process a form with server actions, the risk of CSRF attacks is significantly reduced for a few reasons:
1. Server actions are limited to POST requests.
2. Modern browsers enforce Same-Site cookies by default, which helps mitigate CSRF vulnerabilities.
3. I can further enhance security by ensuring that all cookies have the SameSite=Strict, HttpOnly, and Secure settings.
With SolidStart, using "use server" means I’m making an RPC call to that function. It's my understanding that RPC calls use HTTP POST to invoke specific server-side functions by name.
Given this, I believe the same three points regarding CSRF risk reduction should apply to SolidStart as well.
Am I correct in my understanding? If not, what potential CSRF risks should I be aware of when using RPC calls in SolidStart?
Thank you!
Chris5 replies
SRR And Web Crawlers. Help Me Understand
I just released a new business that has more than 150 pages of docs. I custom-coded the entire site and docs section using SolidStart. I have SSR turned on.
Here's my issue. Crawlers aren't finding my pages. I'll give two examples.
1. Algolia just added a crawler to my site. Their crawler only found 2 pages, not 150.
2. I tried to use a sitemap generator. Same problem. It only found 2 or 3 pages.
Can anyone help me understand why crawlers aren't finding my pages and how I can fix this?
Either I screwed something up, or I fundamentally don't understand how this works.
My site address is: https://www.quickstartjs.com
Thanks!
Chris
5 replies
Can I Pass `createAsync()` a Signal?
I'm building an analytics dashboard with the Plausible API.
Their API let's you set the time period for the data you're requesting by appending a period value to your URL string like
I want to dynamically change this period value when clicking buttons (e.g., "12mo", "month", "7day", etc). So my server function looks like this: Here's my question. I'm using
&period=6m0.I want to dynamically change this period value when clicking buttons (e.g., "12mo", "month", "7day", etc). So my server function looks like this: Here's my question. I'm using
cache, createAsync() , and the load() function to render the initial data for the page. I'm setting a hard coded value for the first load. But after that I want to let users change the time period by clicking buttons.
I've pasted my design pattern below. Is it a good pattern? I asking because I periodically get a page flicker or refresh when I click the buttons and I can't figure out why.
Thank you!15 replies
Unexpected SolidStart Behavior On Vercel. Can You Help?
I have an
AuthContextProvider that works on npm run dev but doesn't work on Vercel. I'm lost. Any help would be appreciated.
Here's the flow:
1. I'm using a Solid store (createStore) to store auth state.
2. When the auth state changes, I update the Solid store.
3. If a user is authenticated AND they are on a page that has /auth in the pathname, I redirect the user to the app dashboard. This prevents authenticated users from accessing sign-in or sign-up pages.
Everything works as expected when running npm run dev. When a user signs in on the /auth/sign-in page:
1. An auth state change occurs.
2. I set isAuthenticated to true
3. Then, I redirect the user to the app dashboard.
After deploying to Vercel, the redirect stopped working. After signing in, the app stays on the /auth/sign-in page.
I added a console.log to check both conditions, and both are true, but the redirect doesn't work.
If I refresh my browser, the redirect occurs.
Why is this happening? Does it have something to do with caching at Vercel?
I'm using the latest version of SolidStart in SSR mode.
Here's the code.
5 replies
How Can I Generate A Sitemap?
I'm days away from releasing an SSR SolidStart project that has 150+ pages. I was hoping to dynamically create a sitemap, but I'm not having much luck.
I tried this: https://github.com/jbaubree/vite-plugin-pages-sitemap
Unfortunately, the docs weren't super clear. I configured all of the settings (shown below), but I couldn't figure out how to generate the actual sitemap.
If anyone has an easy solution for creating a sitemap, I'm all ears.
Thanks!
3 replies
Environment Variables Missing `npm run start`
All of my environment variables are missing or undefined after running
npm run build and npm run start.
npm run dev works as expected.
Does the build have access to the .env file at the root of the project? If not, how do I access them in the build?12 replies
<A> Component: #id Breaking Link
I'm building a docs page for a project I'm working on.
If I create a link with a fragement id pointed to a div on the same page, everything works as expected. The page scrolls to the element with the appropriate id.
But, if I link to another page, nothing happens. I click the link and it doesn't navigate.
Is there an easy fix for this?
4 replies
Can The load() Function Access Secure Values?
If I want to take advantage of load on hover when using a url Param, I can use the following pattern.
Pass the param
Then in the component
But what if I need to pass
getOrder() something secure like a userId or a jwt?
Is there a way that I can pass a secure value to the load function without exposing it?15 replies
Help Me Understand "use server" Security
I'm new to this topic. So please excuse me if my questions if they're obvious or don't sound well thought out. I'm simply trying to learn.
Let's assume I have an app dashboard. When a user visits that dashboard, I run a createEffect() to check their access status.
Inside that "client-side"
createEffect() I call a server function getUserRecord()
Here's a simplified example to show logic.
Here's the getUserRecord() function:
For context, here's the getSupabaseAdminClient() function:
50 replies
<Title> Component Throwing Error. Can you help?
I built an SEO component that simplifies adding SEO to pages.
Unfortunately, I'm now getting the following error on every page:
"seo.tsx:20 computations created outside a
createRoot or render will never be disposed"
The <Title> component is causing the error.
Why?
Here's the full component for context:
7 replies
Is My Understanding Of RouteSectionProps Correct?
I’ve been trying to implement the
cache, load, and createAsync pattern on all of my pages that load data.
My goal is to load data on hover before navigating to the page.
When the cache function does not need a route parameter, this pattern works as expected.
BUT, I struggled to get this pattern working when I needed to pass my cache function a route param.
After reading through the docs, I "thought" that I should use the useParams() primitive to get the route params, then pass that route param to the function inside of createAsync().
That didn't work.
I dug through the HackerNews example and noticed the use of RouteSectionProps.
With RouteSectionProps it does work.
So... I want to make sure I understand WHY these two examples differ.
When using useParams() I'm guessing that you only get access to the route params AFTER the component loads... meaning the params aren't available on hover.
But, when using RouteSectionProps it appears that you get access to the route params BEFORE the component loads... which is why load on hover works.
Am I correct?
Here's my final implementation.
10 replies
Help Me Solve "undefined" warning When Using <Show> Component
I'm using
createAsync() to get and order record.
order has the following type:
const order: Accessor<Order | undefined>
Because order could be undefined, I must check for that in my jsx.
I'm trying to do that with <Show when={order()}>
I thought adding the when={order()} would return false if order() was undefined, and satisfy typescript, but typescript is still complaining with this message:
So, how can I get rid of this "undefined" error?
I'm trying to do this "the solid way," and I can't figure it out.
I get the undefined error when trying to pass the order to a component like this:
<OrderTable order={order} />
Here's the full component for context.
3 replies
What Replaced createRouteData?
In older version of SolidStart you could get all routes in a folder. This was useful for doing things like getting all blog articles. It worked like this:
But createRouteData no longer exists in the latest version of SolidStart. How could I do the same thing with the newest version of SolidStart?
Thanks,
Chris
5 replies
Is It Possible To Pass An Extra Parameter To A Form Action?
I'm trying to do this:
Here's the action:
I keep getting the following errors on the "action" of the form:
Type 'Action<[userId: string], void>' is not assignable to type 'string | SerializableAttributeValue | undefined'.ts(2322)
The expected type comes from property 'action' which is declared here on type 'FormHTMLAttributes<HTMLFormElement>'
(property) JSX.FormHTMLAttributes<HTMLFormElement>.action?: string | JSX.SerializableAttributeValue | undefined
5 replies
Trouble With onCleanup()
I'm building a checkout flow with Stripe's embedded checkout form. It works like this.
The user clicks a "Buy Now" button on a products page that navigates to a checkout page.
The checkout page:
- Gets the product ID and quantity from the search params.
- Gets the checkout form from stripe
- Mounts the checkout form.
This works the first time I click a buy now button.
BUT
If I click back to the products page and click another buy now button, the checkout form doesn't load.
I'm getting an error from Stripe:
"You cannot have multiple embedded checkout items."
So, how do I "clear" or unmount the checkout form when I click the back button? I want to start fresh each time I click a buy now button. My use of onCleanup (below) isn't working.
Here's my checkout page:
30 replies
How Do I Update The createAsync() Signal?
I've been trying to use
cache(), load(), and createAsync() because this pattern appears to be the preferred method for fetching data with SolidStart. Unfortunately, I can't figure out how to update the createAsync() signal.
When using createStore() you get access to a getter and a setter:
But when using createAsync() I only get access to a getter.
How can I update the getter "notes" when using createAsync()?33 replies
form action Breaking On Second Submit
To learn about actions, I built a simple notes app. The app displays a list of notes. When you click an edit button, the note text turns into a text input that can be edited. You can see what I'm describing in this code.
When you click save, the form calls the updateNote action.
The first time I perform an edit, the action works as expected. The edit is made and I stay on the same page.
But if I try to make a second edit, the browser navigates to an action URL like this
https://action/640465549 and the page shows a "This site can't be reached" message.
I've noticed the same error occurs if you forget to include method="post" in your form. But in this case, I definitely have method="post" in my form.
Does anyone know why this form is failing on the second submit?
Thanks,
Chris4 replies
revalidate() Not Working As Expected
I'm fetching data from Supabase and using their Realtime feature so I can see live updates.
To do that I'm using
cache(), createAsync(), and revalidate()
It looks like this:
cache function:
createAsync function:
Here's where I'm confused. revalidate() works no matter what value I pass it.
So all of these options will revalidate the notes Signal from createAsync.
1. revalidate()
2. revalidate("notes")
3. revalidate("some random string")
I only expected option #2 to work. What am I missing?
Thanks,
Chris10 replies
Help Me Stop Theme Flashing In SolidStart
I built a theme switcher using SolidStart. It works great, with one exception. On page reload, the theme flickers or flashes.
It's happening because I'm using SSR mode. As a result, my
ThemeProvider doesn't load the theme until the page loads.
I believe I need to check the theme on the server so I can set the theme before my page loads using something like https://github.com/donavon/use-dark-mode/blob/develop/noflash.js.txt.
Next.js has the next-themes package that does this for you. https://github.com/pacocoursey/next-themes
I'm wondering how I can do this? Can anyone point me in the right direction? Or share some example code?
I've pasted my ThemeProvider code in the next post:20 replies
Why Would I Use An Action For Anything Other Than Form Submissions?
I’m struggling to understand why I would use an action for anything other than handling a form submission.
Actions give you access to
FormData, which simplifies working with forms. So, I can see a clear use case with forms.
But why else would I use an action? Let me try to add some context to my confusion.
The solid docs give the following example.
I can use an action to do the following
BUT, I could also use a regular async function to achieve the same outcome in fewer lines of code.
Additionally, the docs say:
"after submitting data the server sends some data back as well. Usually an error message if something failed. Anything returned from your action function can be accessed using the reactive action.result property. "
BUT, I can also use a try/catch block in a regular async function to return an error message.
So, what's the point of actions outside of working with forms?
Am I missing something? Or are actions just an alternative way to do what regular async functions can do?
Thanks,
Chris22 replies