Server Action Auth

Server actions with mutations but no auth check

criticalSecurityserver-action-auth

Why this matters

Server actions are public HTTP endpoints. Without an auth check, any unauthenticated user can call them directly and mutate your database.

✗ Bad

"use server";

export async function deletePost(id: string) {
  await db.post.delete({ where: { id } });
}

✓ Good

"use server";

import { auth } from "@/lib/auth";

export async function deletePost(id: string) {
  const session = await auth();
  if (!session?.user) throw new Error("Unauthorized");

  await db.post.delete({
    where: { id, authorId: session.user.id },
  });
}

How to fix

Check the user's session at the top of every server action that reads or writes data. Scope mutations to the authenticated user's own resources.

All rules