T
TanStack6mo ago
deep-jade

Safe to use? (Not leaking credentials to client)

Hi, I plan to use nodemailer to send email, using ServerFunctions. i it safe to have it setup like this: 
// get the smtp credentials from the environment variables
const smtpCredentials = {
    host: process.env.SMTP_HOST!,
    port: parseInt(process.env.SMTP_PORT!),
    auth: {
        user: process.env.SMTP_USER!,
        pass: process.env.SMTP_PASSWORD!,
    },
};

// create a transporter object using the default SMTP transport
const transporter = nodemailer.createTransport(smtpCredentials);

export const sendEmail = createServerFn({
    method: "POST",
})
.validator((data: { to: string; subject: string; text: string }) => {
    if (!data.to || !data.subject || !data.text) {
        throw new Error("Missing required fields");
    }
    return data;
})
.handler(async (ctx) => {
    const { to, subject, text } = ctx.data;
    console.log(`Sending email to ${to} with subject ${subject} and text ${text}`);
    const mailOptions = {
        from: `${process.env.SMTP_SENDER_NAME} <${process.env.SMTP_USER}>`,
....
// get the smtp credentials from the environment variables
const smtpCredentials = {
    host: process.env.SMTP_HOST!,
    port: parseInt(process.env.SMTP_PORT!),
    auth: {
        user: process.env.SMTP_USER!,
        pass: process.env.SMTP_PASSWORD!,
    },
};

// create a transporter object using the default SMTP transport
const transporter = nodemailer.createTransport(smtpCredentials);

export const sendEmail = createServerFn({
    method: "POST",
})
.validator((data: { to: string; subject: string; text: string }) => {
    if (!data.to || !data.subject || !data.text) {
        throw new Error("Missing required fields");
    }
    return data;
})
.handler(async (ctx) => {
    const { to, subject, text } = ctx.data;
    console.log(`Sending email to ${to} with subject ${subject} and text ${text}`);
    const mailOptions = {
        from: `${process.env.SMTP_SENDER_NAME} <${process.env.SMTP_USER}>`,
....
Since the creds and transporter are not in the ServerFn
4 Replies
flat-fuchsia
flat-fuchsia6mo ago
if you only reference them from the server function they will not leak into the client however be sure to not export them as that might prevent the compiler from eliminating
deep-jade
deep-jadeOP6mo ago
they should stay in the file, thank you for the quick response!
other-emerald
other-emerald6mo ago
I haven’t tried it yet but have seen this referenced in other discussions. https://www.npmjs.com/package/vite-env-only
npm
vite-env-only
Vite plugins for isolating server-only and client-only code. Latest version: 3.0.3, last published: 9 months ago. Start using vite-env-only in your project by running npm i vite-env-only. There are 14 other projects in the npm registry using vite-env-only.
deep-jade
deep-jadeOP6mo ago
Will Check it out, Thank you!

Did you find this page helpful?