React Server Components
coryhouse opened this issue · 0 comments
Same site built with and without RSC
Both server and client components render 2 things on the server:
- HTML (yes, even client components)
- A virtual DOM representation of the HTML (so RSC knows how to weave client components in, and how to handle client-side routing, and so client components can be "hydrated" on the client).
My tweet with key points
See the RSC project walkthrough for an example of the above: https://demystifying-rsc.vercel.app/)
What does use client
do?
- It tells the bundler to output this code as a separate file with its own url so it can be loaded lazily in the browser.
- It tells the compiler when this code is needed, it should add code to load the js file for this component.
- It tells RSC that the Virtual DOM it generates should contain a placeholder reference to this Client Component, rather than the component's html output.
- It still runs on the server. 'use client' does not disable SSR!
Rule: The deciding factor for what is treated as a Client Component is what is imported in the code. A client component can import and render a server component (a component that doesn't specify use client
) as long as it doesn't do server things, and doesn't have import server-only
.
<suspense>
in RSC causes the fallback to be immediately rendered.
Seeing hydration errors? disable SSR for client component or disable SSR server side using Next dynamic (next/dynamic is just a composite of React.lazy()
and <Suspense>
). Or, can useSyncExternalStore
Devtools: https://chromewebstore.google.com/detail/rsc-devtools/jcejahepddjnppkhomnidalpnnnemomn
https://rsc-parser.vercel.app/
3 data access approaches for RSC
Audit checklist:
Audit
If you're doing an audit of a Next.js App Router project here are a few things we recommend looking extra at:
- Data Access Layer. Is there an established practice for an isolated Data Access Layer? Verify that database packages and environment variables are not imported outside the Data Access Layer.
- "use client" files. Are the Component props expecting private data? Are the type signatures overly broad?
- "use server" files. Are the Action arguments validated in the action or inside the Data Access Layer? Is the user re-authorized inside the action?
- /[param]/. Folders with brackets are user input. Are params validated?
- middleware.tsx and route.tsx have a lot of power. Spend extra time auditing these using traditional techniques. Perform Penetration Testing or Vulnerability Scanning regularly or in alignment with your team's software development lifecycle.