From 823e73b164eab4115af31b1de8e978f2b4e0a95d Mon Sep 17 00:00:00 2001 From: Emanuele Stoppa Date: Fri, 8 Nov 2024 15:55:53 +0000 Subject: [PATCH] fix(actions): better runtime check for invalid usages (#12402) --- .changeset/dull-lemons-check.md | 14 ++++++++++++++ packages/astro/src/actions/runtime/middleware.ts | 3 ++- packages/astro/src/actions/runtime/route.ts | 3 ++- packages/astro/src/actions/runtime/utils.ts | 7 +++++++ .../astro/src/actions/runtime/virtual/server.ts | 10 ++++++++-- packages/astro/src/actions/utils.ts | 3 ++- packages/astro/test/actions.test.js | 6 ++++++ .../test/fixtures/actions/src/pages/invalid.astro | 6 ++++++ 8 files changed, 47 insertions(+), 5 deletions(-) create mode 100644 .changeset/dull-lemons-check.md create mode 100644 packages/astro/test/fixtures/actions/src/pages/invalid.astro diff --git a/.changeset/dull-lemons-check.md b/.changeset/dull-lemons-check.md new file mode 100644 index 000000000000..c2c51c412088 --- /dev/null +++ b/.changeset/dull-lemons-check.md @@ -0,0 +1,14 @@ +--- +'astro': patch +--- + +Fixes a case where Astro allowed to call an action without using `Astro.callAction`. This is now invalid, and Astro will show a proper error. + +```diff +--- +import { actions } from "astro:actions"; + +-const result = actions.getUser({ userId: 123 }); ++const result = Astro.callAction(actions.getUser, { userId: 123 }); +--- +``` diff --git a/packages/astro/src/actions/runtime/middleware.ts b/packages/astro/src/actions/runtime/middleware.ts index 26966553149a..fdaac0b47785 100644 --- a/packages/astro/src/actions/runtime/middleware.ts +++ b/packages/astro/src/actions/runtime/middleware.ts @@ -3,7 +3,7 @@ import type { APIContext, MiddlewareNext } from '../../@types/astro.js'; import { defineMiddleware } from '../../core/middleware/index.js'; import { getOriginPathname } from '../../core/routing/rewrite.js'; import { ACTION_QUERY_PARAMS } from '../consts.js'; -import { formContentTypes, hasContentType } from './utils.js'; +import { ACTION_API_CONTEXT_SYMBOL, formContentTypes, hasContentType } from './utils.js'; import { getAction } from './virtual/get-action.js'; import { type SafeResult, @@ -100,6 +100,7 @@ async function handlePost({ formData = await request.clone().formData(); } const { getActionResult, callAction, props, redirect, ...actionAPIContext } = context; + Reflect.set(actionAPIContext, ACTION_API_CONTEXT_SYMBOL, true); const action = baseAction.bind(actionAPIContext); const actionResult = await action(formData); diff --git a/packages/astro/src/actions/runtime/route.ts b/packages/astro/src/actions/runtime/route.ts index 103936d72005..685025b19042 100644 --- a/packages/astro/src/actions/runtime/route.ts +++ b/packages/astro/src/actions/runtime/route.ts @@ -1,5 +1,5 @@ import type { APIRoute } from '../../@types/astro.js'; -import { formContentTypes, hasContentType } from './utils.js'; +import { ACTION_API_CONTEXT_SYMBOL, formContentTypes, hasContentType } from './utils.js'; import { getAction } from './virtual/get-action.js'; import { serializeActionResult } from './virtual/shared.js'; @@ -28,6 +28,7 @@ export const POST: APIRoute = async (context) => { return new Response(null, { status: 415 }); } const { getActionResult, callAction, props, redirect, ...actionAPIContext } = context; + Reflect.set(actionAPIContext, ACTION_API_CONTEXT_SYMBOL, true); const action = baseAction.bind(actionAPIContext); const result = await action(args); const serialized = serializeActionResult(result); diff --git a/packages/astro/src/actions/runtime/utils.ts b/packages/astro/src/actions/runtime/utils.ts index 84208c879d60..ed64ee812f2d 100644 --- a/packages/astro/src/actions/runtime/utils.ts +++ b/packages/astro/src/actions/runtime/utils.ts @@ -1,5 +1,7 @@ import type { APIContext } from '../../@types/astro.js'; +export const ACTION_API_CONTEXT_SYMBOL = Symbol.for('astro.actionAPIContext'); + export const formContentTypes = ['application/x-www-form-urlencoded', 'multipart/form-data']; export function hasContentType(contentType: string, expected: string[]) { @@ -26,3 +28,8 @@ export type MaybePromise = T | Promise; * `result.error.fields` will be typed with the `name` field. */ export type ErrorInferenceObject = Record; + +export function isActionAPIContext(ctx: ActionAPIContext): boolean { + const symbol = Reflect.get(ctx, ACTION_API_CONTEXT_SYMBOL); + return symbol === true; +} diff --git a/packages/astro/src/actions/runtime/virtual/server.ts b/packages/astro/src/actions/runtime/virtual/server.ts index 8e5e6bb4f1a5..01e8fbd86bfe 100644 --- a/packages/astro/src/actions/runtime/virtual/server.ts +++ b/packages/astro/src/actions/runtime/virtual/server.ts @@ -1,7 +1,12 @@ import { z } from 'zod'; import { ActionCalledFromServerError } from '../../../core/errors/errors-data.js'; import { AstroError } from '../../../core/errors/errors.js'; -import type { ActionAPIContext, ErrorInferenceObject, MaybePromise } from '../utils.js'; +import { + type ActionAPIContext, + type ErrorInferenceObject, + type MaybePromise, + isActionAPIContext, +} from '../utils.js'; import { ActionError, ActionInputError, type SafeResult, callSafely } from './shared.js'; export * from './shared.js'; @@ -60,7 +65,8 @@ export function defineAction< : getJsonServerHandler(handler, inputSchema); async function safeServerHandler(this: ActionAPIContext, unparsedInput: unknown) { - if (typeof this === 'function') { + // The ActionAPIContext should always contain the `params` property + if (typeof this === 'function' || !isActionAPIContext(this)) { throw new AstroError(ActionCalledFromServerError); } return callSafely(() => serverHandler(unparsedInput, this)); diff --git a/packages/astro/src/actions/utils.ts b/packages/astro/src/actions/utils.ts index 0e7c6fb62190..d8596a322930 100644 --- a/packages/astro/src/actions/utils.ts +++ b/packages/astro/src/actions/utils.ts @@ -2,7 +2,7 @@ import type fsMod from 'node:fs'; import * as eslexer from 'es-module-lexer'; import type { APIContext } from '../@types/astro.js'; import type { Locals } from './runtime/middleware.js'; -import type { ActionAPIContext } from './runtime/utils.js'; +import { ACTION_API_CONTEXT_SYMBOL, type ActionAPIContext } from './runtime/utils.js'; import { deserializeActionResult, getActionQueryString } from './runtime/virtual/shared.js'; export function hasActionPayload(locals: APIContext['locals']): locals is Locals { @@ -23,6 +23,7 @@ export function createGetActionResult(locals: APIContext['locals']): APIContext[ export function createCallAction(context: ActionAPIContext): APIContext['callAction'] { return (baseAction, input) => { + Reflect.set(context, ACTION_API_CONTEXT_SYMBOL, true); const action = baseAction.bind(context); return action(input) as any; }; diff --git a/packages/astro/test/actions.test.js b/packages/astro/test/actions.test.js index 0ed98db9357a..eed4d8734415 100644 --- a/packages/astro/test/actions.test.js +++ b/packages/astro/test/actions.test.js @@ -132,6 +132,12 @@ describe('Astro Actions', () => { assert.equal(data, 'Hello, ben!'); } }); + + it('Should fail when calling an action without using Astro.callAction', async () => { + const res = await fixture.fetch('/invalid/'); + const text = await res.text(); + assert.match(text, /ActionCalledFromServerError/); + }); }); describe('build', () => { diff --git a/packages/astro/test/fixtures/actions/src/pages/invalid.astro b/packages/astro/test/fixtures/actions/src/pages/invalid.astro new file mode 100644 index 000000000000..908eee853bd4 --- /dev/null +++ b/packages/astro/test/fixtures/actions/src/pages/invalid.astro @@ -0,0 +1,6 @@ +--- +import { actions } from "astro:actions"; + +// this is invalid, it should fail +const result = await actions.imageUploadInChunks(); +---