openpanel icon indicating copy to clipboard operation
openpanel copied to clipboard
verified publisher icon Openpanel-dev

No safe working solution for NextJs. Documentation contains conflicting information.

Open ilya379 opened this issue 8 months ago • 1 comments

Version I installed is @openpanel/nextjs v1.0.7

I think API always requires client id and secret according to https://openpanel.dev/docs/api/track#authentication, but in https://openpanel.dev/docs/sdks/nextjs#initialize doc says

clientSecret - The client secret of your application (only required for server-side events)

I understand client secret should remain private. But how Frontend will send track events to api.openpanel.dev without the secret? At least I'm getting:

Ingestion: Invalid cors or secret

There is a solution with a proxy https://openpanel.dev/docs/sdks/nextjs#proxy-events, but it doesn't attach any client id or secret. Function createNextRouteHandler() doesn't accept client id or secret..

I created my own createNextRouteHandler proxy function that appends client id and secret

Image

But now I'm getting another error:

Ingestion: Clean ID must be a valid UUIDv4

I couldn't find on your website, docs, or repository what it means. It looks like you don't have safe out-of-box solution for NextJs that I can use on Frontend. The only way I found - to expose secret to the client (frontend) and use it in OpenPanelComponent. Is it a safe solution?

Do I miss anything?

ilya379 avatar Apr 06 '25 15:04 ilya379

Might need to make this more clear but lets try to explain this.

On frontend we use CORS headers to validate any incoming event. So we look at the origin of the request and see if it's matches the CORS you have provided to OpenPanel (you find this setting in Settings -> Project & Clients, have attached a screenshot below).

So you should not need to provide any client secret if its purely client code.

For backend we do not have any origin to rely on so here a secret is needed!

Explaning the errors:

  • Ingestion: Invalid cors or secret I'm guessing your cors settings does not match your origin
  • Clean ID must be a valid UUIDv4 )should be Client ID and not Clean ID 😅) but I assume that we do not actually recieve the client id or its not your actual client id.

Image

lindesvard avatar Apr 07 '25 21:04 lindesvard

Hey! I created my project from scratch, and it is working now. Thank you! However, I notice that the default implementation proxies all headers, including cookies. Is it safe to proxy clients' cookies to OP servers?

And I have one more question about "identify" call behavior. Will Open Panel re-map track events fired before user login (before identify call)?

ilya379 avatar Jul 13 '25 13:07 ilya379