solidjs
[Feature?]: mark module or variable as secret to stop being bundled into client
Duplicates
- [X] I have searched the existing issues
Latest version
- [X] I have tested the latest version
Summary 💡
I'd like a way to mark a variable (e.g. by a macro) or a module (e.g. by a naming convention) as server only (secret). The macro should fail at build time and print the source location of where the variable was mistakenly used. The naming convention should fail at build time and print the source location of the mistaken import statement.
Examples 🌈
const prisma = new PrismaClient
async function getUserByToken(token: string): User {
// code that uses `prisma` variable
}
export default () => {
if (isServer) {
// ...
} else {
const token = getToken(document.cookie)
// didn't notice that forgot to create a `server$()` wrapper for `getUserByToken()`
// this may also leak `datasource` `url` in prisma schema which may contain a password
const user = await getUserByToken(token)
}
return <>{/* ... */}</>
}
Motivation 🔦
With collocation I have accidentally bundled in server only code into the client and created hard to track down errors twice now. I've searched the issues and the community discord server and created a post in the support channel but have found no answers. If this already exists then instead this issue should probably be about documenting this feature on the docs. Some leaks may be subtle enough that they aren't noticed during dev so these 2 incident are just ones that I noticed because they create errors on the client at dev.
This is a constant problem for me. It is super difficult to ensure no server code gets included and when it happens it’s super difficult to track down where the error comes from.
I’m also concerned about accidentally leaking secrets as there is no indication of anything being wrong if the server code in question doesn’t access anything that the build tooling isn’t able to build into the client bundle
