zhongwei/gh-djankies-claude-configs-react-19
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ef94998b7ecb9edfc0e4c2269f88879308ac98f3
gh-djankies-claude-configs-…/skills/reviewing-server-actions/SKILL.md
Zhongwei Li ef94998b7e Initial commit
2025-11-29 18:22:28 +08:00

68 lines
2.1 KiB
Markdown
Raw Blame History

---
name: reviewing-server-actions
description: Review Server Actions for security, validation, and best practices in React 19. Use when reviewing forms, mutations, or server-side logic.
review: true
allowed-tools: Read, Grep, Glob
version: 1.0.0
---
# Review: Server Actions
## Security Checklist
### Input Validation
- [ ] All inputs validated with schema (zod, yup, etc.)
- [ ] Type coercion handled correctly (FormData.get returns strings)
- [ ] Length limits enforced
- [ ] No SQL injection vulnerabilities
For runtime validation patterns and type safety, use the using-runtime-checks skill from the typescript plugin.
If reviewing Zod schema validation patterns, use the validating-schema-basics skill for type-safe Zod v4 schema patterns.
### Authentication & Authorization
- [ ] Session/auth checked before mutations
- [ ] User permissions verified
- [ ] Resource ownership validated
- [ ] No unauthorized access possible
For secure credential handling, use the SECURITY-credentials skill from the typescript plugin.
### Data Sanitization
- [ ] User input sanitized before storage
- [ ] No XSS vulnerabilities
- [ ] File uploads validated (type, size, content)
- [ ] Dangerous operations require confirmation
## Best Practices
### Error Handling
- [ ] Try-catch blocks for async operations
- [ ] Specific error messages for users
- [ ] No sensitive data in error messages
- [ ] Logging for debugging
### Return Values
- [ ] Return serializable objects only
- [ ] Consistent response format
- [ ] Success and error states handled
- [ ] Field-specific errors when needed
### Performance
- [ ] Database queries optimized
- [ ] No N+1 query problems
- [ ] Appropriate use of transactions
- [ ] Rate limiting where needed
## Anti-Patterns to Flag
- [ ] ❌ No validation (trusting client input)
- [ ] ❌ No authentication checks
- [ ] ❌ Returning non-serializable values (functions, classes)
- [ ] ❌ Missing error handling
- [ ] ❌ Exposing sensitive data
- [ ] ❌ Direct database queries without sanitization
- [ ] ❌ No rate limiting on critical actions
For comprehensive Server Actions security, see: `research/react-19-comprehensive.md` lines 723-729, 1808-1942.
Reference in New Issue View Git Blame Copy Permalink