qwik icon indicating copy to clipboard operation
qwik copied to clipboard
verified publisher icon QwikDev

[🐞] server actions can't test in stackblitz.com

Open genki opened this issue 2 years ago • 7 comments

Which component is affected?

Starters / CLI

Describe the bug

Doing: Trying to test the behaviour of server actions using Qwik Starters. And run() the action when a button is clicked.

Expect: No problems happen.

Happening:

ErrorResponse: Cross-site POST form submissions are forbidden
    at error (file:///home/projects/qwik-starter-3dlk16/node_modules/@builder.io/qwik-city/vite/index.cjs:24019:14)
    at securityMiddleware (file:///home/projects/qwik-starter-3dlk16/node_modules/@builder.io/qwik-city/vite/index.cjs:23773:11)
    at Object.next (file:///home/projects/qwik-starter-3dlk16/node_modules/@builder.io/qwik-city/vite/index.cjs:23918:22)
    at runNext (file:///home/projects/qwik-starter-3dlk16/node_modules/@builder.io/qwik-city/vite/index.cjs:24150:21)
    at runQwikCity (file:///home/projects/qwik-starter-3dlk16/node_modules/@builder.io/qwik-city/vite/index.cjs:24145:17)
    at eval (file:///home/projects/qwik-starter-3dlk16/node_modules/@builder.io/qwik-city/vite/index.cjs:24546:45) {
  status: 403
}

Reproduction

https://stackblitz.com/edit/qwik-starter-3dlk16?file=src/routes/index.tsx

Steps to reproduce

Go to the link above and click the button in the page.

System Info

System:
    OS: Linux 5.0 undefined
    CPU: (8) x64 Intel(R) Core(TM) i9-9880H CPU @ 2.30GHz
    Memory: 0 Bytes / 0 Bytes
    Shell: 1.0 - /bin/jsh
  Binaries:
    Node: 16.14.2 - /usr/local/bin/node
    Yarn: 1.22.19 - /usr/local/bin/yarn
    npm: 7.17.0 - /usr/local/bin/npm
  npmPackages:
    @builder.io/qwik: ^0.20.1 => 0.20.1 
    @builder.io/qwik-city: ^0.5.2 => 0.5.2 
    undici: ^5.16.0 => 5.20.0

Additional Information

No response

genki avatar Mar 11 '23 22:03 genki

Fix this issue in StackBlitz Codeflow Start a new pull request in StackBlitz Codeflow.

bolt-new-by-stackblitz[bot] avatar Mar 11 '23 22:03 bolt-new-by-stackblitz[bot]

@manucorporat

I'm still getting the same error on [email protected] and [email protected] Reproduction I just forked the original Stackblitz linked above and upgraded the dependencies: https://stackblitz.com/edit/qwik-starter-wc56yu?file=package.json

Clicking the button still fails with ErrorResponse: Cross-site POST form submissions are forbidden

edgarnansen avatar Mar 16 '23 21:03 edgarnansen

I am experiencing this issue w RC1 as well. How do you call server$ in StackBlitz without the Cross-site error?

Header forwarding (like in railway), .env or vite.config.ts origin?

@mhevery / @manucorporat, it looks like a fix was made but not sure what needs to be done here.

n8sabes avatar Apr 02 '23 19:04 n8sabes

@manucorporat not sure why you closed this issue, but I took the liberty of re-opening it.

Yes, this is an issue, but the issue is with StackBlitz, not Qwik. They are aware of the issue and looking into it.

mhevery avatar Apr 03 '23 15:04 mhevery

So one thing in regards to this issue is that this check was added on the Qwik side. However, for me, the isDev is always false on StackBlitz.com. This flag comes from somewhere in the build process I assume but couldn't find out why it's false.

If this was fixed, an other error pops up which is on our (StackBlitz) side in regards to transferring ReadableStream.

SamVerschueren avatar Apr 11 '23 06:04 SamVerschueren

I have a similar issue here, just that mine is not server action. Mine is global & route action I'm using "@builder.io/qwik": "^0.100.0", "@builder.io/qwik-city": "^0.100.0",

And it's not working locally, with no error response or anything. And on Stackblitz I'm getting ErrorResponse: Cross-site POST form submissions are forbidden

solamichealolawale avatar Apr 17 '23 14:04 solamichealolawale

I found the issue with the isDev method. This only happens when the build uses the CJS bundles of Qwik.

The isDev constant is an IIFE, which means that isDev is set to whatever globalThis.qDev is at the point the function is invoked. Whenever this is invoked the very first time, globalThis.qDev always is undefined in case of CJS.

A little bit later, the code block that sets globalThis.qDev gets executed. But at that point in time, it's already too late as isDev is already evaluated and set to false.

As mentioned, this only happens with the CJS bundle of Qwik (which is what's being used on StackBlitz for some reason, have to find out why). Here's a screenshot showing the order of execution.

image

On local however, the build uses the ESM bundles. The order of execution is different.

image

So this is an issue with CJS, but maybe also an issue with StackBlitz because it should use the ESM bundles 🤔 .

SamVerschueren avatar Apr 18 '23 11:04 SamVerschueren

seems fixed by https://github.com/QwikDev/qwik/pull/3848

PatrickJS avatar May 06 '24 16:05 PatrickJS