Server Actions: Do you need to validate the session when calling Server Actions?
1) When using server actions, there's no need to use csrf tokens anymore right since no external party can call your server action. So it saves this whole step and complication right?
2) When using server actions, if I am storing my sessions in a database, do I still need to check if the user has an active session on every server action mutation? In the past you would need to since anyone can POST to your route. But now with server actions.... only you can call a function on your server right? Therefore, there's no need to validate any database changing function calls in the server action right?
Or is that wrong, because someone can manipulate the javascript on the client side to still call the server action?
If it still requires validation, I guess it would be a good idea to create a middleware-like server action that validates the user or throws before any mutation right?
2) When using server actions, if I am storing my sessions in a database, do I still need to check if the user has an active session on every server action mutation? In the past you would need to since anyone can POST to your route. But now with server actions.... only you can call a function on your server right? Therefore, there's no need to validate any database changing function calls in the server action right?
Or is that wrong, because someone can manipulate the javascript on the client side to still call the server action?
If it still requires validation, I guess it would be a good idea to create a middleware-like server action that validates the user or throws before any mutation right?
