I have a server action that creates records in a Db and sends emails.
If its called directly it create records and send email etc.
Is there a way to stop the Server action file being called directly from the browser?
Is there an “Action” we can add in one of the steps to stop this?
Perhaps the question you want to ask is, how to restrict this Server Action to Admins?
the public page that uses the server action is not a restricted page, hence why I didn’t ask the question in that way. My understanding, unless I am wrong. If I restrict the server action then it can’t be called from a non-restricted page which is used by any users.
I don’t have any user authentication in this projects. It’s a simple form that creates DB records.
If I restricted the Server action, I won’t be able to use it without authentication on the App side
Your understanding is correct.
Well, you could change your Route to only accept POST requests.
This won’t stop malicious users from repeatedly performing the request over and over again, you probably want a captcha or rate limiting (don’t think Wappler supports this officially).
Thanks @Apple how do I change Route to only accept POST requests?
Also, is there maybe a way I can set a condition in the Server Action to continue if a parameter if met, or something along those lines?
You can use a Condition step, and if you want to abort you can use the Response step with an error code like 401 (Unauthorized) or 422 (Unprocessable content)
Or:
1 Like
@cpuser, I think I have managed to achieve what you want in a different way…
I have a public facing page with a group of related server actions. When a member of the public arrives at the page, they arrive with a specific code in the url, and I use this code as a method in one of the server actions to automatically take them through a login process that they don’t know they’ve been through…
After that, all the other server actions that do the kind of db/email actions you describe are protected by the Security Provider mechanism which the first server action created…
I hope that helps!
Antony.
Hi @Antony thank you for the details. Could your please kindly elaborate? It does sound very much like what I am trying to achieve. Can you give an example I can follow?
HI there @cpuser…
Yes, so I have a security provider which has username and password fields taken from the id and a longer random identifier (idr) fields respectively of a database table row.
When the page is accessed, I run a server action page_loaded which finds that database row from the idr value that was passed in the url, extracts the id value, and passes through a security provider using those two values as username and password.
The security provider passes back a unique identity which is then used in all the other database calls that I make.
I then use the same security provider and security restrict steps at the start of each of the other server actions which access the database and send emails.
The page_loaded server action also needs to check if you are logged in to the security provider at the start and log you out, so you know you are logged in for the correct idr credentials.
I hope that helps!
Antony.
1 Like