zhongwei/gh-djankies-claude-configs-react-19
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
gh-djankies-claude-configs-…/skills/reviewing-server-actions/SKILL.md
Zhongwei Li ef94998b7e Initial commit
2025-11-29 18:22:28 +08:00

2.1 KiB
Raw Permalink Blame History

name, description, review, allowed-tools, version
name description review allowed-tools version
reviewing-server-actions Review Server Actions for security, validation, and best practices in React 19. Use when reviewing forms, mutations, or server-side logic. true Read, Grep, Glob 1.0.0

Review: Server Actions

Security Checklist

Input Validation

  • All inputs validated with schema (zod, yup, etc.)
  • Type coercion handled correctly (FormData.get returns strings)
  • Length limits enforced
  • No SQL injection vulnerabilities

For runtime validation patterns and type safety, use the using-runtime-checks skill from the typescript plugin.

If reviewing Zod schema validation patterns, use the validating-schema-basics skill for type-safe Zod v4 schema patterns.

Authentication & Authorization

  • Session/auth checked before mutations
  • User permissions verified
  • Resource ownership validated
  • No unauthorized access possible

For secure credential handling, use the SECURITY-credentials skill from the typescript plugin.

Data Sanitization

  • User input sanitized before storage
  • No XSS vulnerabilities
  • File uploads validated (type, size, content)
  • Dangerous operations require confirmation

Best Practices

Error Handling

  • Try-catch blocks for async operations
  • Specific error messages for users
  • No sensitive data in error messages
  • Logging for debugging

Return Values

  • Return serializable objects only
  • Consistent response format
  • Success and error states handled
  • Field-specific errors when needed

Performance

  • Database queries optimized
  • No N+1 query problems
  • Appropriate use of transactions
  • Rate limiting where needed

Anti-Patterns to Flag

  • No validation (trusting client input)
  • No authentication checks
  • Returning non-serializable values (functions, classes)
  • Missing error handling
  • Exposing sensitive data
  • Direct database queries without sanitization
  • No rate limiting on critical actions

For comprehensive Server Actions security, see: research/react-19-comprehensive.md lines 723-729, 1808-1942.

Reference in New Issue View Git Blame Copy Permalink