Looks like the Next.js gish-gallop machine is firing on all cylinders, augmented by generative AI.
.env files are problematic because they often end up in version control or left lying on local disks unencrypted, increasing the risk of a secret leak. They're nearly impossible to manage securely at scale, are difficult to distribute across a team, and offer no access control or security.
Sure, if your developers live in a bubble and don't know any better. Otherwise, .env files are fantastic because they are dead simple. Keeping them out of VCS is simple. echo ".env" >> .gitignore.
Need to share a secret value? Use any number of secure communications systems your company has in place. Or generate your own from the system that is issuing secrets. It's not the 1950s, when sharing a secret was considered a national security endeavor. This doesn't need to be rocket science.
You can communicate what's supposed to go in the .env file with a .env.template file, with a list of env variables set equal to an empty string.
I'm glad they at least share the nightmare that is client-side environment variables. Prepare to waste days/weeks of your life sifting through unresolved issues in Next.js repo on GitHub, only to discover that you have to re-architect vast swaths of an application just so a secret (of any kind) is never required on the client. This is incredibly challenging and frustrating to deal with, especially when on a deadline and you're 95% done with a working solution.
In typical Next.js fashion, the official documentation for instrumentation.ts is complete dog crap. It's deceptively short, making the naive developer think it's simple to configure. In reality, you should first read through the 50 open and 71 closed GitHub issues related just to instrumentation (https://github.com/vercel/next.js/issues?q=is%3Aissue%20stat...), and make sure you understand all the undocumented ways in which instrumentation.js will destroy any semblance of productivity or enjoyment of programming.
I'd highly recommend staying away from the dumpster fire that is Next.js. It's too bad it's like the top skill asked for by employers these days, who seem to have no idea what they're signing up for.
jitl · 11m ago
> just so a secret (of any kind) is never required on the client
This is how web clients usually work though not NextJS special at all. You have a HTTP only cookie for authentication and proxy requests through your backend to authorize client to perform actions that depend on secrets.
I’m not a NextJS proponent and have experienced frustrations running into its limitations but I think in this case it’s unfair to malign it.
If anything NextJS makes this easier, you just move your function call that uses a secret to a “use server” file and add an authorization check but your client code doesn’t need to change you keep importing it and calling it like a regular async function.
Are you making the argument that they should have a default API route? I don't think that's very common.
latchkey · 1h ago
I'm making the argument that I wouldn't rely on an API endpoint to serve up the secrets that enable my application to work. Imagine a network outage or endpoint failure when the app just happens to be redeployed.
jitl · 2m ago
Where should secrets come from then? Burn them into the deployable artifact??? Place them on the host filesystem in perpetuity???
duncanfwalker · 1h ago
I think it depends on the API - we do this with AWS Secret Managers. I haven't seen it fail but if did it would only effect new instances coming into service so I think we'd have to be pretty unlucky for it to have a noticeable impact.
latchkey · 58m ago
This wasn’t an AWS Secrets Manager example, and yes, there’s a guy named Murphy who wrote a law about this kind of thing.
karmakaze · 54m ago
That's a whole category of software that makes large systems work: etcd, Zookeeper, HashiCorp Vault, etc.
Need to share a secret value? Use any number of secure communications systems your company has in place. Or generate your own from the system that is issuing secrets. It's not the 1950s, when sharing a secret was considered a national security endeavor. This doesn't need to be rocket science.
You can communicate what's supposed to go in the .env file with a .env.template file, with a list of env variables set equal to an empty string.
I'm glad they at least share the nightmare that is client-side environment variables. Prepare to waste days/weeks of your life sifting through unresolved issues in Next.js repo on GitHub, only to discover that you have to re-architect vast swaths of an application just so a secret (of any kind) is never required on the client. This is incredibly challenging and frustrating to deal with, especially when on a deadline and you're 95% done with a working solution.
In typical Next.js fashion, the official documentation for instrumentation.ts is complete dog crap. It's deceptively short, making the naive developer think it's simple to configure. In reality, you should first read through the 50 open and 71 closed GitHub issues related just to instrumentation (https://github.com/vercel/next.js/issues?q=is%3Aissue%20stat...), and make sure you understand all the undocumented ways in which instrumentation.js will destroy any semblance of productivity or enjoyment of programming.
I'd highly recommend staying away from the dumpster fire that is Next.js. It's too bad it's like the top skill asked for by employers these days, who seem to have no idea what they're signing up for.
This is how web clients usually work though not NextJS special at all. You have a HTTP only cookie for authentication and proxy requests through your backend to authorize client to perform actions that depend on secrets.
I’m not a NextJS proponent and have experienced frustrations running into its limitations but I think in this case it’s unfair to malign it.
If anything NextJS makes this easier, you just move your function call that uses a secret to a “use server” file and add an authorization check but your client code doesn’t need to change you keep importing it and calling it like a regular async function.
100% uptime, I'm sure.