Next.js: API route examples are bad/incorrect

Created on 11 Oct 2019  ·  8Comments  ·  Source: vercel/next.js

Examples bug report

Example name

  • api-routes-graphql
  • api-routes-rest
  • api-* (affects all)

Describe the bug

All the examples use getInitialProps to request from localhost:3000 - which, when you've deployed to now (as per the readme) it blows up and throws a 500 (I just ran a test deploy and it does indeed break).

This issue isn't specific to Next.js but it is specific to the examples which suggest releasing.

To Reproduce

  1. Deploy https://github.com/zeit/next.js/tree/canary/examples/api-routes-graphql/ to now
  2. Visit url - 500

Expected behavior

A solution should be offered to handle fetching "self", or the suggestion of deploying to Zeit's now should be removed.

Additional context

Possible workaround that I'm currently using, but feels brittle:

const origin = req => {
  if (!req) {
    return '';
  }

  if (req.headers['x-now-deployment-url']) {
    return `https://${req.headers['x-now-deployment-url']}`;
  }

  return `http://${req.headers.host}`
}

Index.getInitialProps = async ({ req }) => {

  const url = origin(req) + '/api/graphql';
  fetch(url, { … });
  // snip
picture remy
👍5

Most helpful comment

Hi,

I didn't whitelist any other domains except my own personal IP address. This is why everything worked locally, but not when I pushed it up to Vercel's servers and my custom domain.

In case anyone stumbles upon this comment and is trying to figure out why they're able to hit their DB (mongoDB atlas in the cloud) locally ... but not when you deploy ... make sure you whitelist other IPs than just your own.

picture rwschmitz on 23 Apr 2020
👍2

All 8 comments

To me it feels a bit unsafe to have your backend make requests to urls defined in headers. Wouldn't it be possible to spoof the host header?

Janpot picture Janpot on 12 Oct 2019

Just bumped into this as well!

Possible workaround that I'm currently using, but feels brittle:

It seems that using the header is the way to go indeed. https://zeit.co/docs/v2/advanced/platform/changes-in-now-2-0/#environment-variables

To me it feels a bit unsafe to have your backend make requests to urls defined in headers. Wouldn't it be possible to spoof the host header?

It should be safe https://github.com/zeit/now-builders/issues/55#issuecomment-446422255

It will be added at the routing layer, so no chance of someone spoofing the value as we would just overwrite it when that happens.

amytych picture amytych on 16 Oct 2019
👍1

@amytych

It should be safe

It may be safe in ZEIT now specifically, but API routes are not restricted to this environment alone. People may copy this example and run it on their own infrastructure. Besides that, it would give the general impression that it's ok to treat the host header as "safe" input.

Janpot picture Janpot on 16 Oct 2019

It may be safe in ZEIT now specifically, but API routes are not restricted to this environment alone. People may copy this example and run it on their own infrastructure. Besides that, it would give the general impression that it's ok to treat the host header as "safe" input.

Good point indeed 👍 I was caught up with the issue being about Now 2.0 deployments, I guess in other environments the case will always be different and out of scope of this issue?

amytych picture amytych on 16 Oct 2019

I'm also running into this. The provided examples do not work when developing locally, due to SSR pages not being able to make requests to the api endpoints. I get 404 errors.

shidel-dev picture shidel-dev on 12 Feb 2020

Hi,

I think I'm having a similar issue.

  • I connect to my mongoDB that's hosted in the cloud via mongoDB Atlas.
  • Any data fetching I do on localhost in /api/my-route-here works locally. I get the data back, and it's all good.
  • I then deploy to Vercel, and no matter the combination of things I've tried, I routinely get 502 bad gateway with the exact same code.

I've done next build and next start locally to see if something is going on during the build process but this still works.

I thought maybe the "API resolved without returning data may result in stalled requests" was causing the issue, so I re-wrote my middleware but even after resolving that issue, I'm still getting 502 bad gateway when deploying.

rwschmitz picture rwschmitz on 22 Apr 2020

Hi,

I didn't whitelist any other domains except my own personal IP address. This is why everything worked locally, but not when I pushed it up to Vercel's servers and my custom domain.

In case anyone stumbles upon this comment and is trying to figure out why they're able to hit their DB (mongoDB atlas in the cloud) locally ... but not when you deploy ... make sure you whitelist other IPs than just your own.

rwschmitz picture rwschmitz on 23 Apr 2020
👍2

Closing as api-routes-* examples have been updated to no longer use absolute URLs to do data fetching :relieved:

lfades picture lfades on 27 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

YarivGilad picture YarivGilad  ·  3Comments
jesselee34 picture jesselee34  ·  3Comments
lixiaoyan picture lixiaoyan  ·  3Comments
renatorib picture renatorib  ·  3Comments
havefive picture havefive  ·  3Comments