That should be the server. Your Nextjs app should have zero access to business data without at least an auth token. And if you're relying on middleware for auth, it'll be responsible for providing that auth token to the rest of the app. And if you bypass middleware, then there's no auth token, and no vulnerability.
This is only a vulnerability if you have pages you don't want to render for some people, regardless of upstream data it would need to fetch.
Not necessarily. There is no big difference whether the business logic resides in the same node process or another one. If the first process is unsafe on that level, then the token can also be extracted.
Middleware runs server side doesn't it? tbh I haven't used nextjs middleware. But in many frameworks have used middleware that provides overarching access control.
For example having all routes under `/admin/*` automatically return an error if the user is not an admin, and then the individual routes don't need to be concerns with access control.
The issue is, everyone uses middleware because Next.js doesn't provide a primitive for a middleware like how it's done for any other framework. Just something to execute before your endpoint, that's it.
They haven't had one for years and everyone wrapped their endpoints which was error prone and also flat out annoying, it's reasonable that people then jump to middleware
That is an important catalyst aggregating the problem. Juniors are reading less code, mostly generating and then AI code produced dissuades them from reading code even more and the skills take a bit even more.
Not to contradict you, but fascinating coincidence: my favorite alleged originator of OK — "Old Kinderhook," Martin Van Buren — is to date the one and only U.S. president who did not speak English as his first language.
(But "oll korrect" is apparently attributed to Andrew Jackson, who was a native speaker, yes.)
The early models were uncensored, but people seeing early llms give meth recipes and how to make car bombs made them quickly get neutered before public release (additional controls, for pirvate info, nudity, swearing etc all come from additional guardrails and improvements of the protection they can offer the company and not end users)
Have an uncensored model loop through nypost articles and ask it to synthesize content from that. Nypost has tons of scandalous content and can easily get spun into erotica by an uncensored model.
It’s unsafe for that reason, so you absolutely needed both censored and uncensored. It wasn’t an accident.
> can easily get spun into erotica by an uncensored model.
A sexualized fine-tune yes, but that's because you have to make them overly horny to overcome the original censorship.
Nothing prevent them to train a model that will have an appropriate level of sexual content (that is, only upon user explicit request) the same way they train it not to have sexual content at all.
The reason they do that is because they are American companies, the same companies who also censored nude paintings and statues from European museums' pages.
Modern heroku. The toolset is standard for web these days (eg docker, etc) but you don’t need to roll your own devops.
It might be hard to understand the value prop because it seems like a commodity… but that’s exactly the value prop: a commodity that works well, is priced right, and you don’t need to worry about using some weird toolset or rolling your own infrastructure.
