Next.js server action security for un-authenticated users?

Question

I have a server action that just takes a string input and saves it to the DB.

export async function saveMessageAction(message: string) {
    'use server';

   // verify string checks, header origin check, rate limiter based on IP address 
   
   await db.insert(table_name).values({message: message})
}

Unauthenticated users can interact with this server action through my next.js website with a simple onClick button function.

const saveMessage = async () => {
   setLoading(true)
   await saveMessageAction(inputText)
}

My problem is that this POST request can easily be copied with external tools Postman, curl etc. Allowing external users to save data to the DB. People can make scripts to spam the DB causing all types of problems.

I have tried to introduce security measures such as checking the origin header on the request but this can easily be spoofed. From what I understand server actions already prevents most CSRF vulnerabilities due to the same-site cookie. Blocking external request IP address can also be done but those users can quickly change IP addresses restarting the problem.

What other security measures could I do to ensure only unauthenticated users from my website invoke the server action and stop all external requests.

Authentication cannot be done as the point of the website it to allow unauthenticated users using it to post messages.

This is a Next.js (14) project hosted on Vercel and uses Supabase as a back-end if that information helps in anyway.

Answer 1

If unauthenticated users should use your post request, there are several ways:

1. Add RECAPTCHA. You can use this package react-google-recaptcha-v3 or other in your form, and verify user.
2. Use FingerprintJS or alternative one to identify abusive users and store the fingerprint in your database to track requests.
3. And read this issue as well: How effective is the honeypot technique against spam?