Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docs: useFormState and sensitive data #63141

Open
nagman opened this issue Mar 11, 2024 · 2 comments
Open

Docs: useFormState and sensitive data #63141

nagman opened this issue Mar 11, 2024 · 2 comments
Labels
Documentation Related to Next.js' official documentation.

Comments

@nagman
Copy link

nagman commented Mar 11, 2024

What is the improvement or update you wish to see?

I would like to see an example on how to use useFormState along with sensitive data that must not be exposed on the client.

I've tried several solutions, and the only one that worked was defining the action in a closure in the parent server component, then pass the action to the child client component that uses useFormState:

// parent
async function ServerContactForm({recipients}: {recipients: string[]}) {
  async function handleSubmit(prevState: any, formData: FormData) {
    'use server';
    return submitContactForm(recipients, formData);
  }

  return (
    <ClientContactForm action={handleSubmit} />
  );
}

// child
'use client';

function ClientContactForm({action}: {
    action: (
      prevState: any,
      formData: FormData,
    ) => ReturnType<typeof submitContactForm>;
  }) {
  const [state, formAction] = useFormState(action, {});

  return (
    <form action={formAction}>
    // ...
    </form>
  );
}

The solution with .bind() in the parent component doesn't work as it exposes sensitive data in a <input type="hidden" />.
Neither does the solution where I pass the sensitive data to the client component.

We lack explanations on how it internally works because the behavior is quite unpredictable and I had to test several cases before finding one that does the job (and I hope it really hides my sensitive data because I can't know how it's processed under the hood).

It would be nice to have a real case example in the docs having:

  • a contact form
  • some sensitive data passed to the action
  • a loading state (this is really annoying to create children components just to call useFormStatus when all you want is just a simple CSS feedback on your form - can't the status be included in the useFormState hook?)
  • a feedback returned by the action and displayed along the contact form

That is, one must say, the most common use case for form actions.
Yet I struggle with it for hours.

Is there any context that might help us understand?

The docs explain how to use useFormState and how to pass actions into closures in order to hide sensitive data, but not how to use both together.

Does the docs page already exist? Please link to it.

https://nextjs.org/docs/app/building-your-application/data-fetching/server-actions-and-mutations#server-side-validation-and-error-handling
@nagman nagman added the Documentation Related to Next.js' official documentation. label Mar 11, 2024
@dawi
Copy link

dawi commented Mar 11, 2024

@nagman There is currently some discussion about useFormStatus.

But it seems that a new hook named useActionState is on its way: facebook/react#28491

@mrcaidev
Copy link

mrcaidev commented Apr 7, 2024

useActionState has been merged recently. Hope it can get shipped to Next.js soon, as it seems to be a total replacement of useFormState.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Documentation Related to Next.js' official documentation.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dawi @nagman @mrcaidev