ref and reactive outside setup

[scottix]

Is your feature request related to a problem? Please describe.

The problem is making sure ref or reactive is not defined outside of vue's setup method. With SSR this can create a scenario of cross pollination or exposed state to unauthorized users.

Describe the solution you'd like

What I have done personally, is have a script that can searches through js and ts files and making sure there are no instances of 'ref(' or 'reactive(' although this method is naïve and doesn't take into cases of composition api and use functions. I basically have a whitelist that will ignore these files after inspection and proper use.

Describe alternatives you've considered

Maybe some sort of AST checker. I don't know if there is some way to do it in runtime.

Additional context

(https://nuxt.com/docs/getting-started/state-management#best-practices)

[Baroshem]

Hey Buddy,

Thanks for this feature idea. Could you tell me however why do you think it should be added to NuxtSecurity module?

This seems more like an addition to the core framework rather than to a Security module.

[scottix]

Ya I was thinking about that as well. I think my reasoning is that the exploit can leak data about a user. I think it is similar to the concept of Remove Console Loggers. Although I'm not apposed to marking it more upstream, which mean more users will avoid the mistake.

[Baroshem]

What about adding an entry in good practices in docs?

There is already a similiar point there about returning only what is necessary.

https://nuxt-security.vercel.app/documentation/advanced/good-practices#only-return-what-is-necessary

[scottix]

Up to you although it won't necessarily check anything. It could even be a library they imported and have no idea that it could potentially be dangerous.

[Baroshem]

I think this would be the way to go.

I would prefer to avoid having these kind of checkers and have a documentation record instead.

Would you be up for contributing and adding this? I can provide all the help needed :)

[Baroshem]

@scottix would you be interested in writing a good practices section about it? :)

[scottix]

@Baroshem sorry been a little, I can add it to my list of todo