kit icon indicating copy to clipboard operation
kit copied to clipboard
verified publisher icon sveltejs

Assets imported from `/lib/server` for `$app/server`'s `read` are public in Vercel

Open giacomoran opened this issue 1 year ago • 0 comments

Describe the bug

Assets imported with the server-only read utility from $app/server are placed in the .vercel/output/static folder, which is publicly accessible in Vercel deployments (Vercel docs). This happens even if the assets are located in src/lib/server.

After reading the Server-only modules and Vercel docs, I expected the assets to be accessible only server-side.

Some possible solutions are:

  • Mentioning the gotcha in the documentation
  • Placing the assets in the .vercel/output/functions folder, which can safely contain private files

My use case is to load a file, which contains encrypted secrets, with dotenvx, when the serverless function starts. Even if the secrets are encrypted I don't want the file to be publicly accessible. The current workaround is to manually copy the file in the Vercel output after the build completes, which is not ideal. Related dotenvx issue: https://github.com/dotenvx/dotenvx/issues/301.

Reproduction

Repro: https://github.com/giacomoran/sveltekit-server-only-assets

How I prepared the repro:

  • Start from SvelteKit skeleton project
  • Replace adapter-auto with adapter-vercel
  • Create src/lib/server/foo.txt
  • Configure Vite build.assetsInlineLimit to ignore src/lib/server/foo.txt
  • Create endpoint which imports import fileFoo from '$lib/server/foo.txt' and reads its content await read(fileFoo).text()

Inspect the output after running npm run build, copies of foo.txt are found in:

  • .svelte-kit/output/server/_app/immutable/assets/foo.B7qnBFgS.txt
  • .svelte-kit/output/client/_app/immutable/assets/foo.B7qnBFgS.txt
  • .vercel/output/functions/fn.func/_app/immutable/assets/foo.B7qnBFgS.txt
  • .vercel/output/static/_app/immutable/assets/foo.B7qnBFgS.txt

The file .vercel/output/static/_app/immutable/assets/foo.B7qnBFgS.txt is publicly accessible.

Logs

No response

System Info

System:
    OS: macOS 14.6.1
    CPU: (12) arm64 Apple M2 Max
    Memory: 15.32 GB / 96.00 GB
    Shell: 3.7.1 - /opt/homebrew/bin/fish
  Binaries:
    Node: 20.12.2 - ~/.asdf/installs/nodejs/20.12.2/bin/node
    Yarn: 1.22.22 - ~/.asdf/installs/nodejs/20.12.2/bin/yarn
    npm: 10.8.2 - ~/.asdf/plugins/nodejs/shims/npm
    pnpm: 9.5.0 - ~/.asdf/installs/nodejs/20.12.2/bin/pnpm
  Browsers:
    Chrome: 127.0.6533.120
    Edge: 127.0.2651.105
    Safari: 17.6
  npmPackages:
    @sveltejs/adapter-auto: ^3.0.0 => 3.2.4
    @sveltejs/adapter-vercel: ^5.4.3 => 5.4.3
    @sveltejs/kit: ^2.0.0 => 2.5.22
    @sveltejs/vite-plugin-svelte: ^3.0.0 => 3.1.1
    svelte: ^4.2.7 => 4.2.18
    vite: ^5.0.3 => 5.4.1

Severity

serious, but I can work around it

Additional Information

No response

giacomoran avatar Aug 18 '24 20:08 giacomoran