Forem: Bruno Corrêa The latest articles on Forem by Bruno Corrêa (@brinobruno). https://forem.com/brinobruno https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2076159%2F10a58bb9-e2ba-4fca-9186-3f90d4cc5cb4.jpg Forem: Bruno Corrêa https://forem.com/brinobruno en JavaScript Countdown Gotcha: Why Date.now() Depends on the User’s Clock Bruno Corrêa Wed, 24 Sep 2025 13:21:10 +0000 https://forem.com/brinobruno/javascript-countdown-gotcha-why-datenow-depends-on-the-users-clock-2gl9 https://forem.com/brinobruno/javascript-countdown-gotcha-why-datenow-depends-on-the-users-clock-2gl9 <h3> TL;DR </h3> <ul> <li> <code>Date.now()</code> uses the <strong>user’s system clock</strong>, not the server’s.</li> <li>If the user’s device time is wrong, your countdown timers will be wrong too.</li> <li>Always treat the <strong>server as the source of truth</strong> for time-sensitive flows.</li> </ul> <h3> Backstory: A Payment Timer Gone Wrong </h3> <p>While integrating Nubank’s NuPay system, I built a simple countdown timer: 10 minutes (600 seconds) before the payment link expired. Straightforward, right?</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb7h9cnsrvummdzxgdrvd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb7h9cnsrvummdzxgdrvd.png" alt="Countdown timer UI" width="800" height="497"></a></p> <p>Fetch the order, grab the <code>insertedAt</code> timestamp, and compare it with <code>Date.now()</code>.</p> <p>Except my timer kept showing <strong>11:50 minutes</strong> instead of 10:00.</p> <h3> The Gotcha: <code>Date.now()</code> Uses the Client Clock </h3> <p>After double-checking my math, I tried something unusual: I manually changed my system clock.</p> <p>Suddenly the timer shifted.</p> <p>That’s when I realized:</p> <blockquote> <p><strong><code>Date.now()</code> isn’t based on server time. It’s based on the <em>user’s system clock</em>.</strong></p> </blockquote> <p>If the system time is off — even by a couple of minutes — your timer drifts. On payments, that’s a dealbreaker.</p> <h3> How I Fixed It </h3> <ol> <li> <strong>Store a local timestamp on checkout</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">setItem</span><span class="p">(</span><span class="s2">`nupay_order_</span><span class="p">${</span><span class="nx">orderId</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">().</span><span class="nf">toString</span><span class="p">())</span> </code></pre> </div> <p>This works reliably on the same device.</p> <ol> <li><p><strong>Use it on the confirmation page</strong><br> Compare the stored value to <code>Date.now()</code> to calculate remaining time.</p></li> <li><p><strong>Fallback to server data</strong><br> If the local key doesn’t exist (e.g. user switches devices), use the backend’s <code>insertedAt</code>.</p></li> </ol> <h3> Cross-Device Reality Check </h3> <p>What if a user checks out on their laptop but views the order on their phone?</p> <ul> <li> <strong>LocalStorage</strong> works only on the same device.</li> <li> <strong>Server timestamps</strong> cover cross-device cases.</li> <li> <strong>Best practice:</strong> have the backend return its <em>current time</em> along with <code>insertedAt</code> so you can calculate relative to the server clock.</li> </ul> <h3> Polling the Order Status </h3> <p>To keep the order status fresh, I used polling (every 5 seconds):</p> <ul> <li>Simpler than WebSockets/SSE</li> <li>Stateless, reliable, easy to retry</li> <li>Perfect for a short-lived, critical flow like payments </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">pollOrderStatus</span><span class="p">(</span><span class="nx">orderId</span><span class="p">:</span> <span class="kr">number</span><span class="p">,</span> <span class="nx">timeout</span><span class="p">:</span> <span class="kr">number</span><span class="p">,</span> <span class="nx">signal</span><span class="p">:</span> <span class="nx">AbortSignal</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">startTime</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">interval</span> <span class="o">=</span> <span class="mi">5000</span> <span class="k">while </span><span class="p">(</span><span class="kc">true</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// stop polling if request was aborted or max timeout exceeded</span> <span class="k">if </span><span class="p">(</span><span class="nx">signal</span><span class="p">.</span><span class="nx">aborted</span> <span class="o">||</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">-</span> <span class="nx">startTime</span> <span class="o">&gt;</span> <span class="nx">timeout</span><span class="p">)</span> <span class="k">break</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">query</span><span class="p">({</span> <span class="na">query</span><span class="p">:</span> <span class="nx">GetOrder</span><span class="p">,</span> <span class="na">variables</span><span class="p">:</span> <span class="p">{</span> <span class="nx">orderId</span> <span class="p">},</span> <span class="na">fetchPolicy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">no-cache</span><span class="dl">'</span> <span class="p">})</span> <span class="c1">// Checks if order status has changed to paid/failed/canceled/etc</span> <span class="k">if </span><span class="p">(</span><span class="nx">data</span><span class="p">?.</span><span class="nx">order</span><span class="p">?.</span><span class="nx">status</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">pending</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nf">reload</span><span class="p">()</span> <span class="k">break</span> <span class="p">}</span> <span class="k">await</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">(</span><span class="nx">r</span> <span class="o">=&gt;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">r</span><span class="p">,</span> <span class="nx">interval</span><span class="p">))</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Key Lesson: Don’t Trust the Client Clock </h3> <ul> <li> <code>Date.now()</code> is only as correct as the user’s system settings.</li> <li>Clocks can drift minutes or hours.</li> <li>Cross-device usage makes things worse.</li> </ul> <p><strong>Always prefer:</strong></p> <ul> <li>Server timestamps as the source of truth</li> <li>Local storage as a same-device helper</li> <li>Small tolerances where exactness isn’t critical</li> </ul> <h3> Visualizing the Flow </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User Checkout → Order Created (10 min timeout) → Store local timestamp ↓ Confirmation Page → Calculate Remaining Time → Show Countdown ↓ Start Polling (5s intervals) → Check Order Status → Update UI ↓ Status Change → Reload Page → Final State (Real-time feedback for user) </code></pre> </div> <h3> Conclusion </h3> <p>Most of us take <code>Date.now()</code> for granted, but in time-sensitive apps like payments, it can quietly undermine your logic.</p> <p>Next time you build a countdown, remember:</p> <blockquote> <p><strong>The client clock is not gospel. The server is your source of truth.</strong></p> </blockquote> <h3> References </h3> <ul> <li><a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/now" rel="noopener noreferrer">MDN: Date.now()</a></li> <li><a href="https://developer.mozilla.org/en-US/docs/Web/API/Performance/now" rel="noopener noreferrer">MDN: Performance.now()</a></li> </ul> <h3> Let’s Connect </h3> <p>I share real-world problem-solving and debugging lessons:<br> <a href="https://github.com/brinobruno" rel="noopener noreferrer">GitHub</a> | <a href="https://www.linkedin.com/in/brunociao/" rel="noopener noreferrer">LinkedIn</a> | <a href="https://brunocorrea.dev/" rel="noopener noreferrer">Portfolio</a></p> webdev javascript frontend ecommerce [Boost] Bruno Corrêa Mon, 10 Feb 2025 11:57:43 +0000 https://forem.com/brinobruno/-5db9 https://forem.com/brinobruno/-5db9 <div class="ltag__link"> <a href="/brinobruno" class="ltag__link__link"> <div class="ltag__link__pic"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2076159%2F10a58bb9-e2ba-4fca-9186-3f90d4cc5cb4.jpg" alt="brinobruno"> </div> </a> <a href="https://dev.to/brinobruno/handling-complex-file-upload-forms-56bh" class="ltag__link__link"> <div class="ltag__link__content"> <h2>Handling Complex File Upload forms</h2> <h3>Bruno Corrêa ・ Feb 9</h3> <div class="ltag__link__taglist"> <span class="ltag__link__tag">#webdev</span> <span class="ltag__link__tag">#react</span> <span class="ltag__link__tag">#nextjs</span> <span class="ltag__link__tag">#tutorial</span> </div> </div> </a> </div> webdev react nextjs tutorial Handling Complex File Upload forms Bruno Corrêa Sun, 09 Feb 2025 16:17:49 +0000 https://forem.com/brinobruno/handling-complex-file-upload-forms-56bh https://forem.com/brinobruno/handling-complex-file-upload-forms-56bh <p>Picture this: You're working on a mature React application with forms that have evolved over years. Nested objects, array fields, complex validation and maybe even some legacy code. Then comes the requirement:<br><br> <strong>"We need to add file uploads to this form."</strong> </p> <p>Your first thought? <em>"Easy, just use <code>FormData</code> and multipart uploads!"</em><br><br> But then you open the form component and see something this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// The existing form structure that gives you nightmares</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">control</span><span class="p">,</span> <span class="nx">handleSubmit</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">useForm</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">project</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">collaborators</span><span class="p">:</span> <span class="nb">Array</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">permissions</span><span class="p">:</span> <span class="kr">string</span><span class="p">[];</span> <span class="p">}</span><span class="o">&gt;</span><span class="p">;</span> <span class="nl">timeline</span><span class="p">:</span> <span class="p">{</span> <span class="na">start</span><span class="p">:</span> <span class="nb">Date</span><span class="p">;</span> <span class="nl">milestones</span><span class="p">:</span> <span class="nb">Array</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">title</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">description</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span><span class="o">&gt;</span><span class="p">;</span> <span class="p">};</span> <span class="p">};</span> <span class="c1">// ...and 20 more fields</span> <span class="p">}</span><span class="o">&gt;</span><span class="p">();</span> </code></pre> </div> <p>Suddenly, converting everything to <code>FormData</code> feels like impossible and just not ideal. Let me show you how we tackled this without rewriting our entire form (and backend!).</p> <h2> The Problem of File Uploads </h2> <p>Our requirements were: </p> <p>✅ Maintain the existing complex JSON structure<br><br> ✅ Add multiple file uploads<br><br> ✅ Single API request (no race conditions!)<br><br> ✅ No massive refactoring </p> <h3> The Obvious (But Flawed) Solution: Two Separate Requests </h3> <p>Submitting form data first, then uploading files separately seemed logical.<br><br> <strong>But:</strong> </p> <p>❌ What if the form submission succeeds but file upload fails?<br><br> ❌ How do we handle partial failures?<br><br> ❌ Double the API surface = double the maintenance </p> <p>We needed a way to send everything in one payload. Here's what we built.</p> <h2> Approach 1: The Straightforward FormData Method </h2> <p><strong>Best for:</strong> Simple forms, quick implementations </p> <p>Let's start with the solution you <em>wish</em> you could use. </p> <h3> Simple Upload Component </h3> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// app/components/simple-upload.tsx</span> <span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">SimpleUploadForm</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">handleSubmit</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">e</span><span class="p">:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">FormEvent</span><span class="o">&lt;</span><span class="nx">HTMLFormElement</span><span class="o">&gt;</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">e</span><span class="p">.</span><span class="nf">preventDefault</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">formData</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">FormData</span><span class="p">();</span> <span class="nx">files</span><span class="p">.</span><span class="nf">forEach</span><span class="p">((</span><span class="nx">file</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">formData</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="dl">"</span><span class="s2">files</span><span class="dl">"</span><span class="p">,</span> <span class="nx">file</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/simple-upload</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">formData</span><span class="p">,</span> <span class="c1">// No Content-Type header!</span> <span class="p">});</span> <span class="p">};</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nc">Card</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">CardContent</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">form</span> <span class="na">onSubmit</span><span class="p">=</span><span class="si">{</span><span class="nx">handleSubmit</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Input</span> <span class="na">type</span><span class="p">=</span><span class="s">"file"</span> <span class="na">multiple</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nc">Button</span> <span class="na">type</span><span class="p">=</span><span class="s">"submit"</span><span class="p">&gt;</span>Upload<span class="p">&lt;/</span><span class="nc">Button</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">form</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nc">CardContent</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nc">Card</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h4> API Route </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/simple-upload/route.ts</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">formData</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">request</span><span class="p">.</span><span class="nf">formData</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">files</span> <span class="o">=</span> <span class="nx">formData</span><span class="p">.</span><span class="nf">getAll</span><span class="p">(</span><span class="dl">"</span><span class="s2">files</span><span class="dl">"</span><span class="p">)</span> <span class="k">as</span> <span class="nx">File</span><span class="p">[];</span> <span class="nx">files</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">file</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">bytes</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">file</span><span class="p">.</span><span class="nf">arrayBuffer</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">buffer</span> <span class="o">=</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">bytes</span><span class="p">);</span> <span class="c1">// Write to filesystem or S3</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>✅ <strong>Why this works:</strong> </p> <ul> <li>Native browser support </li> <li>Streams files directly </li> <li>No size conversion overhead </li> </ul> <p>❌ <strong>Why it failed us:</strong> </p> <ul> <li>Our existing form wasn't compatible with <code>FormData</code> </li> <li>Converting nested objects to flat key-value pairs would require: <ul> <li>Frontend restructuring </li> <li>Backend parameter re-mapping </li> <li>Breaking changes for mobile clients </li> </ul> </li> </ul> <h2> Approach 2: The JSON Base64 Shuffle </h2> <p><strong>Best for:</strong> Keeping complex JSON structures intact </p> <p>Instead of breaking our form, we converted files to <strong>Base64</strong> and embedded them in JSON. So the flow will be: </p> <p>Frontend will encode it and send to backend.<br> Backend will then decode it and be able to treat it (Save to an S3 bucket, save to database, whatever.).</p> <h3> Complex Upload Component </h3> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// app/components/complex-upload.tsx</span> <span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">onSubmit</span><span class="p">:</span> <span class="nx">SubmitHandler</span><span class="o">&lt;</span><span class="nx">FormInputs</span><span class="o">&gt;</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">files</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">(</span> <span class="nb">Array</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">files</span><span class="p">).</span><span class="nf">map</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">file</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">base64</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">readFileAsBase64</span><span class="p">(</span><span class="nx">file</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="nx">file</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="nx">file</span><span class="p">.</span><span class="kd">type</span><span class="p">,</span> <span class="na">size</span><span class="p">:</span> <span class="nx">file</span><span class="p">.</span><span class="nx">size</span><span class="p">,</span> <span class="na">base64</span><span class="p">:</span> <span class="nx">base64</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">"</span><span class="s2">,</span><span class="dl">"</span><span class="p">)[</span><span class="mi">1</span><span class="p">],</span> <span class="c1">// Strip metadata</span> <span class="p">};</span> <span class="p">})</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="na">user</span><span class="p">:</span> <span class="nx">data</span><span class="p">.</span><span class="nx">user</span><span class="p">,</span> <span class="na">attachments</span><span class="p">:</span> <span class="nx">files</span><span class="p">,</span> <span class="p">};</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/complex-upload</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">payload</span><span class="p">),</span> <span class="p">});</span> <span class="p">};</span> <span class="c1">// FileReader Helper Function</span> <span class="kd">const</span> <span class="nx">readFileAsBase64</span> <span class="o">=</span> <span class="p">(</span><span class="nx">file</span><span class="p">:</span> <span class="nx">File</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span><span class="p">((</span><span class="nx">resolve</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">reader</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">FileReader</span><span class="p">();</span> <span class="nx">reader</span><span class="p">.</span><span class="nx">onload</span> <span class="o">=</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">resolve</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">?.</span><span class="nx">result</span> <span class="k">as</span> <span class="kr">string</span><span class="p">);</span> <span class="nx">reader</span><span class="p">.</span><span class="nf">readAsDataURL</span><span class="p">(</span><span class="nx">file</span><span class="p">);</span> <span class="p">});</span> <span class="p">};</span> </code></pre> </div> <h4> API Route </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/complex-upload/route.ts</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">user</span><span class="p">,</span> <span class="nx">attachments</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">request</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="nx">attachments</span><span class="p">.</span><span class="nf">forEach</span><span class="p">((</span><span class="nx">file</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">buffer</span> <span class="o">=</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">file</span><span class="p">.</span><span class="nx">base64</span><span class="p">,</span> <span class="dl">"</span><span class="s2">base64</span><span class="dl">"</span><span class="p">);</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">writeFileSync</span><span class="p">(</span><span class="s2">`./uploads/</span><span class="p">${</span><span class="nx">file</span><span class="p">.</span><span class="nx">name</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="nx">buffer</span><span class="p">);</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">user</span><span class="p">,</span> <span class="na">uploadedFiles</span><span class="p">:</span> <span class="nx">attachments</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">f</span> <span class="o">=&gt;</span> <span class="nx">f</span><span class="p">.</span><span class="nx">name</span><span class="p">)</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>✅ <strong>Why this works:</strong> </p> <ul> <li> <strong>Existing structure maintained</strong>: No need to flatten nested objects </li> <li> <strong>Single request</strong>: Everything succeeds or fails together </li> <li> <strong>Backend agnostic</strong>: Works with REST, GraphQL, or even tRPC </li> </ul> <h2> Lessons </h2> <h3> 1. React Hook Form Quirks </h3> <p>When using <code>useForm</code> with file inputs, handle the <code>FileList</code> manually:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="p">{...</span><span class="nf">register</span><span class="p">(</span><span class="dl">"</span><span class="s2">files</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">validate</span><span class="p">:</span> <span class="p">(</span><span class="nx">files</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">files</span><span class="p">?.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">Required</span><span class="dl">"</span> <span class="p">})}</span> </code></pre> </div> <h3> 2. Memory Management </h3> <p>Converting <strong>100MB</strong> files to base64?<br><br> 🚨 <strong>Your users' browsers will cry.</strong><br><br> We added:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">if </span><span class="p">(</span><span class="nx">file</span><span class="p">.</span><span class="nx">size</span> <span class="o">&gt;</span> <span class="mi">10</span> <span class="o">*</span> <span class="mi">1024</span> <span class="o">*</span> <span class="mi">1024</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">File too big</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> 3. Backend Security Checks </h3> <p>Never trust incoming base64. Validate MIME types properly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Validate MIME type from actual content</span> <span class="k">import</span> <span class="nx">fileType</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">file-type</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">buffer</span> <span class="o">=</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">file</span><span class="p">.</span><span class="nx">base64</span><span class="p">,</span> <span class="dl">'</span><span class="s1">base64</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="kd">type</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">fileType</span><span class="p">.</span><span class="nf">fromBuffer</span><span class="p">(</span><span class="nx">buffer</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="kd">type</span><span class="p">?.</span><span class="nx">mime</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">image/</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Invalid file type</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> When to Choose Which Approach? </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>FormData</th> <th>JSON + Base64</th> </tr> </thead> <tbody> <tr> <td><strong>Payload Structure</strong></td> <td>Flat key-value</td> <td>Complex nested JSON</td> </tr> <tr> <td><strong>File Size</strong></td> <td>Better for large files</td> <td>Keep under 10MB</td> </tr> <tr> <td><strong>Browser Support</strong></td> <td>Universal</td> <td>Modern browsers</td> </tr> <tr> <td><strong>Existing API Surface</strong></td> <td>Needs modification</td> <td>Works as-is</td> </tr> </tbody> </table></div> <h2> Try It Yourself </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyabuhi1kcdmadh7zcwng.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyabuhi1kcdmadh7zcwng.png" alt="Demo example" width="800" height="450"></a></p> <p>My complete example repo shows <strong>both</strong> approaches side-by-side with both the frontend and backend ready to go in one app: </p> <p><a href="https://file-upload-poc-next.vercel.app/" rel="noopener noreferrer">Vercel deploy</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/brinobruno/file-upload-poc-next <span class="nb">cd </span>file-upload-poc-next </code></pre> </div> <p>follow <code>README.md</code></p> <p>✅ <strong>The demo includes:</strong> </p> <ul> <li>Side-by-side form comparison </li> <li>Error handling implementations </li> <li>File size validation </li> <li>UI feedback states </li> </ul> <h2> Parting Thoughts </h2> <p>This solution helped us ship file uploads <strong>without regressing existing functionality</strong>.<br><br> Is it perfect? No. But in complex codebases, <strong>pragmatic solutions</strong> often win over theoretical best practices. </p> <p>🚀 <strong>Coming soon:</strong> Implementing this pattern in <strong>Elixir Phoenix</strong>, as I'm learning this framework myself.</p> <p>👉 <strong>What file upload challenges have you faced?</strong> Drop your thoughts in the comments!</p> <h3> References </h3> <p>here are some authoritative sources and references you could explore for deeper insights:</p> <h4> WebSockets And SSE Documentation: </h4> <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/File" rel="noopener noreferrer">MDN Web Docs: File</a><br> <a href="https://developer.mozilla.org/en-US/docs/Web/API/FormData" rel="noopener noreferrer">MDN Web Docs: FormData</a><br> <a href="https://developer.mozilla.org/en-US/docs/Glossary/Base64" rel="noopener noreferrer">MDN Web Docs: Base64</a></p> <h3> Let's connect </h3> <p>I'll share my relevant socials in case you want to connect:<br> <a href="https://github.com/brinobruno" rel="noopener noreferrer">Github</a><br> <a href="https://www.linkedin.com/in/brunociao/" rel="noopener noreferrer">LinkedIn</a><br> <a href="https://brunocorrea.dev/" rel="noopener noreferrer">Portfolio</a></p> webdev react nextjs tutorial Real-Time Web Communication: Long/Short Polling, WebSockets, and SSE Explained + Next.js code Bruno Corrêa Mon, 23 Sep 2024 12:24:25 +0000 https://forem.com/brinobruno/real-time-web-communication-longshort-polling-websockets-and-sse-explained-nextjs-code-1l43 https://forem.com/brinobruno/real-time-web-communication-longshort-polling-websockets-and-sse-explained-nextjs-code-1l43 <h3> Backstory: The Unexpected Interview Question </h3> <p>A few months ago, I was in the middle of a technical interview for a mid-level front-end position. Things were going smoothly until I was hit with a question that caught me slightly off guard.</p> <blockquote> <p>"Imagine you need a form of constant communication to check something every second until you retrieve something you need.</p> <p>For example, you want to keep checking if a payment has been successful, like in an e-commerce setup. How would you approach this?"</p> </blockquote> <p>I responded cautiously, “I think you could implement WebSockets to handle that.”</p> <p>The interviewer smiled. "That’s a good solution, but there are other, arguably better, options depending on the situation."</p> <p>And that’s when we dove into a conversation about various approaches to real-time communication, including <strong>Long Polling</strong>, <strong>Short Polling</strong>, <strong>WebSockets</strong>, and finally, <strong>Server-Sent Events (SSE)</strong>, which is arguably the best choice for a unidirectional data stream, like in our payment example.</p> <p>We also discussed choosing the right database for handling these constant, yet lightweight requests without draining server resources. In that context, <strong>Redis</strong> came up, known for its simplicity and efficiency in managing these types of requests.</p> <p>This conversation stuck with me. I realized that while WebSockets get a lot of attention, there’s a wide array of techniques that, when understood, can optimize the way we manage real-time communication. Today, I want to break down these four approaches, when to use each, and their pros and cons in a clear, engaging way. By the end, you’ll have a solid understanding of why Server-Sent Events (SSE) often shine for one-way, real-time communication.</p> <p>Before I begin, huge thanks to <a href="https://www.linkedin.com/in/marcospauloluiz/" rel="noopener noreferrer">Marcos</a>, the experienced Senior Software Engineer who conducted that chat and inspired me to write this article months later, which I much appreciated even though I didn't get the job! :)</p> <h3> The Four Methods of Real-Time Communication </h3> <p>Before jumping into the SSE example, let’s break down the four methods we discussed during that interview:</p> <h4> 1. <strong>Short Polling</strong> </h4> <p>Short polling is probably the simplest method. It involves making a request to the server at regular intervals, asking, “Do you have new data?” The server responds with the current state—whether or not there’s anything new.</p> <p><strong>Upside:</strong> </p> <ul> <li>Easy to implement</li> <li>Works with traditional HTTP requests</li> </ul> <p><strong>Downside:</strong></p> <ul> <li>It’s resource-heavy. You’re making frequent requests, even when no new data is available.</li> <li>Can increase server load and network traffic, which becomes inefficient for frequent checks like payment status updates.</li> </ul> <p><strong>Best for:</strong> Small, low-frequency data updates, such as a stock market price to update every minute or so.</p> <h4> 2. <strong>Long Polling</strong> </h4> <p>Long polling takes short polling a step further. The client repeatedly requests information from the server, but instead of the server responding right away, it holds onto the connection until new data is available. Once data is sent back, the client immediately opens a new connection and repeats the process.</p> <p><strong>Upside:</strong></p> <ul> <li>More efficient than short polling because the server only responds when necessary - it's really fast.</li> <li>Compatible with browsers and HTTP/HTTPS protocols.</li> </ul> <p><strong>Downside:</strong></p> <ul> <li>Still requires reopening connections repeatedly, leading to inefficiency over time - expensive resources.</li> <li>Slightly more complex than short polling.</li> </ul> <p><strong>Best for:</strong> Situations where real-time communication is needed but WebSockets/SSE might be overkill (e.g., chat applications).</p> <h4> 3. <strong>WebSockets</strong> </h4> <p>WebSockets are a more modern solution that provides full-duplex communication between client and server. Once a connection is opened, both sides can send data freely without re-establishing connections - which defines a bidirectional communication.</p> <p><strong>Upside:</strong></p> <ul> <li>True real-time communication with minimal latency.</li> <li>Great for bi-directional communication (e.g., real-time games, chat apps).</li> </ul> <p><strong>Downside:</strong></p> <ul> <li>More complex to implement than polling or SSE.</li> <li>WebSockets aren’t always ideal for one-way communication or less frequent updates, as they can consume resources by maintaining open connections.</li> <li>May need firewall configuration.</li> </ul> <p><strong>Best for:</strong> Applications requiring constant two-way communication, like multiplayer games, collaborative tools, chat applications, or real-time notifications.</p> <h4> 4. <strong>Server-Sent Events (SSE)</strong> </h4> <p>Finally, we come to <strong>Server-Sent Events</strong> (SSE), the hero of our payment example. SSE creates a one-way connection where the server sends updates to the client. Unlike WebSockets, this is unidirectional—the client doesn’t send data back.</p> <p><strong>Upside:</strong></p> <ul> <li>Ideal for one-way data streams like news feeds, stock tickers, or payment status updates.</li> <li>Lightweight and simpler to implement than WebSockets.</li> <li>Uses the existing HTTP connection, so it’s well-supported and firewall-friendly.</li> </ul> <p><strong>Downside:</strong></p> <ul> <li>Not suitable for bi-directional communication.</li> <li>Some browsers (particularly older versions of IE) don’t fully support SSE.</li> </ul> <p><strong>Best for:</strong> Real-time updates where the client only needs to receive data, such as live scores, notifications, and our payment status example.</p> <h3> SSE in Action: Real-Time Payment Status with Next.js </h3> <p>Let’s get to the heart of the matter. I built a simple Next.js app to simulate a real-time payment process using <strong>Server-Sent Events (SSE)</strong>. It demonstrates exactly how you can set up one-way communication to check the status of a payment and notify the user when the payment succeeds or fails.</p> <p>It's a bit of a headache to set it up for Next since it works a bit differently than plain js so you can thank me later!</p> <p>Here’s the setup:</p> <h4> Frontend: Transaction Control Component </h4> <p>In the following component, we have a simple UI displaying buttons to simulate different types of transactions that would come from an actual gateway API (Pix, Stripe, and a failing credit card payment). These buttons trigger real-time payment status updates through SSE.</p> <p>Here’s where the SSE magic happens. When a payment is simulated, the client opens an SSE connection to listen for updates from the server. It handles different statuses like pending, in transit, paid, and failed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PAYMENT_STATUSES</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../utils/payment-statuses</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">paymentButtons</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">"</span><span class="s2">pix</span><span class="dl">"</span><span class="p">,</span> <span class="na">label</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Simulate payment with Pix</span><span class="dl">"</span><span class="p">,</span> <span class="na">bg</span><span class="p">:</span> <span class="dl">"</span><span class="s2">bg-green-200</span><span class="dl">"</span><span class="p">,</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">"</span><span class="s2">stripe</span><span class="dl">"</span><span class="p">,</span> <span class="na">label</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Simulate payment with Stripe</span><span class="dl">"</span><span class="p">,</span> <span class="na">bg</span><span class="p">:</span> <span class="dl">"</span><span class="s2">bg-blue-200</span><span class="dl">"</span><span class="p">,</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">"</span><span class="s2">credit</span><span class="dl">"</span><span class="p">,</span> <span class="na">label</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Simulate failing payment</span><span class="dl">"</span><span class="p">,</span> <span class="na">bg</span><span class="p">:</span> <span class="dl">"</span><span class="s2">bg-red-200</span><span class="dl">"</span><span class="p">,</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">},</span> <span class="p">];</span> <span class="kd">type</span> <span class="nx">transaction</span> <span class="o">=</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">amount</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">success</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">DOMAIN_URL</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_DOMAIN_URL</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">TransactionControl</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">status</span><span class="p">,</span> <span class="nx">setStatus</span><span class="p">]</span> <span class="o">=</span> <span class="nx">useState</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">""</span><span class="p">);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">isProcessing</span><span class="p">,</span> <span class="nx">setIsProcessing</span><span class="p">]</span> <span class="o">=</span> <span class="nx">useState</span><span class="o">&lt;</span><span class="nx">boolean</span><span class="o">&gt;</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handleTransaction</span><span class="p">({</span> <span class="kd">type</span><span class="p">,</span> <span class="nx">amount</span><span class="p">,</span> <span class="nx">success</span> <span class="p">}:</span> <span class="nx">transaction</span><span class="p">)</span> <span class="p">{</span> <span class="nf">setIsProcessing</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="nf">setStatus</span><span class="p">(</span><span class="dl">"</span><span class="s2">Payment is in progress...</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">eventSource</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">EventSource</span><span class="p">(</span> <span class="s2">`</span><span class="p">${</span><span class="nx">DOMAIN_URL</span><span class="p">}</span><span class="s2">/payment?type=</span><span class="p">${</span><span class="kd">type</span><span class="p">}</span><span class="s2">&amp;amount=</span><span class="p">${</span><span class="nx">amount</span><span class="p">}</span><span class="s2">&amp;success=</span><span class="p">${</span><span class="nx">success</span><span class="p">}</span><span class="s2">`</span> <span class="p">);</span> <span class="nx">eventSource</span><span class="p">.</span><span class="nx">onmessage</span> <span class="o">=</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">data</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">status</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">data</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> <span class="k">switch </span><span class="p">(</span><span class="nx">status</span><span class="p">)</span> <span class="p">{</span> <span class="k">case</span> <span class="nx">PAYMENT_STATUSES</span><span class="p">.</span><span class="na">PENDING</span><span class="p">:</span> <span class="nf">setStatus</span><span class="p">(</span><span class="dl">"</span><span class="s2">Payment is in progress...</span><span class="dl">"</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="k">case</span> <span class="nx">PAYMENT_STATUSES</span><span class="p">.</span><span class="na">IN_TRANSIT</span><span class="p">:</span> <span class="nf">setStatus</span><span class="p">(</span><span class="dl">"</span><span class="s2">Payment is in transit...</span><span class="dl">"</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="k">case</span> <span class="nx">PAYMENT_STATUSES</span><span class="p">.</span><span class="na">PAID</span><span class="p">:</span> <span class="nf">setIsProcessing</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="nf">setStatus</span><span class="p">(</span><span class="dl">"</span><span class="s2">Payment completed!</span><span class="dl">"</span><span class="p">);</span> <span class="nx">eventSource</span><span class="p">.</span><span class="nf">close</span><span class="p">();</span> <span class="k">break</span><span class="p">;</span> <span class="k">case</span> <span class="nx">PAYMENT_STATUSES</span><span class="p">.</span><span class="na">CANCELED</span><span class="p">:</span> <span class="nf">setIsProcessing</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="nf">setStatus</span><span class="p">(</span><span class="dl">"</span><span class="s2">Payment failed!</span><span class="dl">"</span><span class="p">);</span> <span class="nx">eventSource</span><span class="p">.</span><span class="nf">close</span><span class="p">();</span> <span class="k">break</span><span class="p">;</span> <span class="nl">default</span><span class="p">:</span> <span class="nf">setStatus</span><span class="p">(</span><span class="dl">""</span><span class="p">);</span> <span class="nf">setIsProcessing</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="nx">eventSource</span><span class="p">.</span><span class="nf">close</span><span class="p">();</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="p">};</span> <span class="p">}</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"flex flex-col gap-3"</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">paymentButtons</span><span class="p">.</span><span class="nf">map</span><span class="p">(({</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">label</span><span class="p">,</span> <span class="nx">bg</span><span class="p">,</span> <span class="nx">success</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">key</span><span class="p">=</span><span class="si">{</span><span class="nx">id</span><span class="si">}</span> <span class="na">className</span><span class="p">=</span><span class="si">{</span><span class="s2">`</span><span class="p">${</span><span class="nx">bg</span><span class="p">}</span><span class="s2"> text-background rounded-full font-medium py-2 px-4 disabled:brightness-50 disabled:opacity-50`</span><span class="si">}</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">handleTransaction</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="nx">id</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="mi">101</span><span class="p">,</span> <span class="nx">success</span> <span class="p">})</span> <span class="si">}</span> <span class="na">disabled</span><span class="p">=</span><span class="si">{</span><span class="nx">isProcessing</span><span class="si">}</span> <span class="p">&gt;</span> <span class="si">{</span><span class="nx">label</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">))</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">status</span> <span class="o">&amp;&amp;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"mt-4 text-lg font-medium"</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">status</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h4> Backend: SSE Implementation in Next.js </h4> <p>On the server side, we simulate a payment process by sending periodic status updates through SSE. As the transaction progresses, the client will receive updates on whether the payment is still pending, has been completed, or has failed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">NextRequest</span><span class="p">,</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PAYMENT_STATUSES</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../utils/payment-statuses</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">runtime</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">edge</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">dynamic</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">force-dynamic</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// eslint-disable-next-line @typescript-eslint/no-unused-vars</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">GET</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">,</span> <span class="nx">res</span><span class="p">:</span> <span class="nx">NextResponse</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">searchParams</span> <span class="p">}</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">url</span> <span class="k">as</span> <span class="kr">string</span><span class="p">);</span> <span class="kd">const</span> <span class="kd">type</span> <span class="o">=</span> <span class="nx">searchParams</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">type</span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="kc">null</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">amount</span> <span class="o">=</span> <span class="nf">parseFloat</span><span class="p">(</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">amount</span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">0</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">success</span> <span class="o">=</span> <span class="nx">searchParams</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">success</span><span class="dl">"</span><span class="p">)</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">true</span><span class="dl">"</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="kd">type</span> <span class="o">||</span> <span class="nx">amount</span> <span class="o">&lt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Response</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">invalid transaction</span><span class="dl">"</span> <span class="p">}),</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">400</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">responseStream</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TransformStream</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">writer</span> <span class="o">=</span> <span class="nx">responseStream</span><span class="p">.</span><span class="nx">writable</span><span class="p">.</span><span class="nf">getWriter</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">encoder</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TextEncoder</span><span class="p">();</span> <span class="kd">let</span> <span class="nx">closed</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">sendStatus</span><span class="p">(</span><span class="nx">status</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="nx">writer</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span> <span class="nx">encoder</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="s2">`data: </span><span class="p">${</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="nx">status</span><span class="p">,</span> <span class="kd">type</span><span class="p">,</span> <span class="nx">amount</span> <span class="p">})}</span><span class="s2">\n\n`</span><span class="p">)</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Payment gateway simulation</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">processTransaction</span><span class="p">()</span> <span class="p">{</span> <span class="nf">sendStatus</span><span class="p">(</span><span class="nx">PAYMENT_STATUSES</span><span class="p">.</span><span class="nx">PENDING</span><span class="p">);</span> <span class="kd">function</span> <span class="nf">simulateSuccess</span><span class="p">()</span> <span class="p">{</span> <span class="nf">setTimeout</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">closed</span><span class="p">)</span> <span class="p">{</span> <span class="nf">sendStatus</span><span class="p">(</span><span class="nx">PAYMENT_STATUSES</span><span class="p">.</span><span class="nx">IN_TRANSIT</span><span class="p">);</span> <span class="p">}</span> <span class="p">},</span> <span class="mi">3000</span><span class="p">);</span> <span class="nf">setTimeout</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">closed</span><span class="p">)</span> <span class="p">{</span> <span class="nf">sendStatus</span><span class="p">(</span><span class="nx">PAYMENT_STATUSES</span><span class="p">.</span><span class="nx">PAID</span><span class="p">);</span> <span class="c1">// Close the stream and mark closed to prevent further writes</span> <span class="nx">writer</span><span class="p">.</span><span class="nf">close</span><span class="p">();</span> <span class="nx">closed</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="p">},</span> <span class="mi">6000</span><span class="p">);</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">simulateFailure</span><span class="p">()</span> <span class="p">{</span> <span class="nf">setTimeout</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">closed</span><span class="p">)</span> <span class="p">{</span> <span class="nf">sendStatus</span><span class="p">(</span><span class="nx">PAYMENT_STATUSES</span><span class="p">.</span><span class="nx">CANCELED</span><span class="p">);</span> <span class="c1">// Close the stream and mark closed to prevent further writes</span> <span class="nx">writer</span><span class="p">.</span><span class="nf">close</span><span class="p">();</span> <span class="nx">closed</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="p">},</span> <span class="mi">3000</span><span class="p">);</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">success</span> <span class="o">===</span> <span class="kc">false</span><span class="p">)</span> <span class="p">{</span> <span class="nf">simulateFailure</span><span class="p">();</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="nf">simulateSuccess</span><span class="p">();</span> <span class="p">}</span> <span class="k">await</span> <span class="nf">processTransaction</span><span class="p">();</span> <span class="c1">// Return the SSE response</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Response</span><span class="p">(</span><span class="nx">responseStream</span><span class="p">.</span><span class="nx">readable</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Access-Control-Allow-Origin</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">*</span><span class="dl">"</span><span class="p">,</span> <span class="na">Connection</span><span class="p">:</span> <span class="dl">"</span><span class="s2">keep-alive</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">X-Accel-Buffering</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">no</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">text/event-stream; charset=utf-8</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Cache-Control</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">no-cache, no-transform</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Content-Encoding</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">none</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>Also, make sure you add .env.local file with this content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>NEXT_PUBLIC_DOMAIN_URL='http://localhost:3000' </code></pre> </div> <h3> Why SSE Over WebSockets in This Case? </h3> <p>Now that we’ve seen how to implement it, you might be wondering: why use SSE over WebSockets for this? Here’s why:</p> <ul> <li> <strong>Unidirectional Communication:</strong> In our scenario, the client only needs to receive updates about the payment status. There’s no need for the client to send data back to the server constantly, so the simplicity of SSE fits perfectly.</li> <li> <strong>Lightweight:</strong> Since SSE uses a single HTTP connection to stream updates, it’s more resource-efficient compared to WebSockets, which maintain full-duplex communication.</li> <li> <strong>Firewall-Friendly:</strong> SSE is easier to work with across different network environments because it runs over HTTP, which is usually open in firewalls, whereas WebSocket connections can sometimes run into issues.</li> <li> <strong>Browser Support:</strong> While not as widely supported as WebSockets, SSE is supported by modern browsers, making it reliable for most use cases where unidirectional data is needed.</li> </ul> <h3> Conclusion: Know Your Tools </h3> <p>That interview question turned into an incredible learning experience, opening my eyes to the subtle differences between long polling, short polling, WebSockets, and SSE. Each method has its time and place, and understanding when to use which one is crucial for optimizing real-time communication.</p> <p>SSE might not be as glamorous as WebSockets, but when it comes to efficient, one-way communication, it's the perfect tool for the job—just like in our e-commerce payment example. Next time you're building something that requires real-time updates, don’t just reach for WebSockets by default—consider SSE for its simplicity and efficiency.</p> <p>Hope this deep dive into real-time communication techniques keeps you sharp for your next project or that tricky interview question!</p> <h3> Let's get our hands dirty </h3> <p>Next.js + TypeScript example repository: <a href="https://github.com/brinobruno/sse-next" rel="noopener noreferrer">https://github.com/brinobruno/sse-next</a><br> Next.js + TypeScript example deployment: <a href="https://sse-next-one.vercel.app/" rel="noopener noreferrer">https://sse-next-one.vercel.app/</a></p> <h3> References </h3> <p>here are some authoritative sources and references you could explore for deeper insights:</p> <h4> WebSockets And SSE Documentation: </h4> <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API" rel="noopener noreferrer">MDN Web Docs: The WebSockets API</a><br> <a href="https://developer.mozilla.org/en-US/docs/Web/API/Server-sent_events/Using_server-sent_events" rel="noopener noreferrer">MDN Web Docs: Using Server Sent Events</a></p> <h4> Next API Routes </h4> <p><a href="https://nextjs.org/docs/pages/building-your-application/routing/api-routes" rel="noopener noreferrer">Next.js: API Routes</a></p> <h3> Let's connect </h3> <p>I'll share my relevant socials in case you want to connect:<br> <a href="https://github.com/brinobruno" rel="noopener noreferrer">Github</a><br> <a href="https://www.linkedin.com/in/brunociao/" rel="noopener noreferrer">LinkedIn</a><br> <a href="https://brunocorrea.dev/" rel="noopener noreferrer">Portfolio</a></p> webdev javascript nextjs tutorial How to Use Shadow DOM and Honeypots to Deter Crawlers Bruno Corrêa Mon, 16 Sep 2024 21:18:53 +0000 https://forem.com/brinobruno/how-to-use-shadow-dom-and-honeypots-to-deter-crawlers-5831 https://forem.com/brinobruno/how-to-use-shadow-dom-and-honeypots-to-deter-crawlers-5831 <blockquote> <p>This is a short introduction and demonstration on how we can increase security on forms, especially against crawling, it's noticeable that it's most likely overkill for most applications but very interesting for those who want to understand a bit more about such practices as and how it's possible to undermine them.</p> </blockquote> <p><strong>Disclaimer</strong>: This post was inspired by <a href="https://felipperegazio.com/" rel="noopener noreferrer">Felippe Regazio</a>, on a late-night coding stream, make sure to give him a follow. Huge thanks. Also, I'm not a senior dev, so please feel free to double-check any information you believe I could've misstated so that we can correct/improve it together.</p> <h3> Next.js + TypeScript implementation app: </h3> <p>For any purposes, <a href="https://github.com/brinobruno/shadow-dom-react-next" rel="noopener noreferrer">you can refer to this repo</a> to check out the application I made to learn and demonstrate the following concepts, You can also just as easily make this with HTML, CSS, and JavaScript, since there were less examples on React, I've decided to build one approach of it here.</p> <p>Also, feel free to try and hack it too, I've made a <a href="//shadow-dom-react-next.vercel.app">deployment available here</a>.</p> <h3> Understanding Web Crawlers </h3> <p>Web crawlers, also known as bots or spiders, are automated programs designed to browse the internet and gather data. They're essential for search engines like Google, but they can also be used for more malicious purposes, like scraping sensitive information or submitting spam through forms. Crawlers often utilize JavaScript methods like <code>document.querySelectorAll()</code> or <code>document.forms</code> to identify and interact with elements, such as form fields, by their <code>name</code> attributes.</p> <p>Most crawlers look for predictable patterns, such as:</p> <ul> <li><code>input[name="name"]</code></li> <li><code>input[name="email"]</code></li> <li><code>input[type="submit"]</code></li> </ul> <h3> The Risks of Crawling </h3> <p>While crawling itself isn't inherently bad, when malicious bots target your site, it can result in spam form submissions, scraping sensitive data, or even overloading your server with requests. That's where Shadow DOM and honeypots come into play as security measures.</p> <h3> What is Shadow DOM? </h3> <p>The Shadow DOM is a part of the Web Components standard that allows for the encapsulation of DOM trees. Essentially, elements in a Shadow DOM tree are isolated from the rest of the document, preventing external scripts (like those from crawlers) from easily accessing them.</p> <p>Another common use for Shadow DOM is when you have any service app that a website can embed into their platform and you want to make sure that any important information won't be able to be changed, such as what an input title represents, or even a copyright statement such as <em>"Powered by my-app-name"</em>, which is pretty common on e-commerce apps for Shopify, WordPress, amongst others.</p> <h4> Pros of Using Shadow DOM for Forms: </h4> <ul> <li> <strong>Encapsulation:</strong> Elements within the Shadow DOM are not accessible by global selectors such as <code>document.querySelectorAll</code>. Crawlers won't be able to easily find or interact with these elements.</li> <li> <strong>Style isolation:</strong> CSS and JavaScript scoped to a Shadow DOM will not leak into the main document, and vice versa. This makes the UI more secure from unintended changes or external interference. And of course, that can also be a downside from other perspectives.</li> </ul> <h4> Downsides: </h4> <ul> <li> <strong>Limited accessibility:</strong> Shadow DOM can make elements harder to access for legitimate purposes, such as custom analytics or third-party tools.</li> <li> <strong>Potential developer complexity:</strong> You need to carefully manage interactions between Shadow DOM and the rest of your site to avoid conflicts, especially when debugging.</li> </ul> <h3> Using Shadow DOM to Hide Forms </h3> <p>By placing a form inside the Shadow DOM, bots attempting to use <code>document.forms</code> or <code>document.querySelectorAll</code> will not be able to access it. Here’s an example of encapsulating a form using Shadow DOM:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="kd">const</span> <span class="nx">ShadowForm</span><span class="p">:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">FC</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">formRef</span> <span class="o">=</span> <span class="nx">useRef</span><span class="o">&lt;</span><span class="nx">HTMLDivElement</span><span class="o">&gt;</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">shadowRootRef</span> <span class="o">=</span> <span class="nx">useRef</span><span class="o">&lt;</span><span class="nx">ShadowRoot</span> <span class="o">|</span> <span class="kc">null</span><span class="o">&gt;</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">formRef</span><span class="p">.</span><span class="nx">current</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">shadowRootRef</span><span class="p">.</span><span class="nx">current</span><span class="p">)</span> <span class="p">{</span> <span class="nx">shadowRootRef</span><span class="p">.</span><span class="nx">current</span> <span class="o">=</span> <span class="nx">formRef</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nf">attachShadow</span><span class="p">({</span> <span class="na">mode</span><span class="p">:</span> <span class="dl">"</span><span class="s2">closed</span><span class="dl">"</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">form</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">"</span><span class="s2">form</span><span class="dl">"</span><span class="p">);</span> <span class="nx">form</span><span class="p">.</span><span class="nx">noValidate</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="nx">form</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="s2">` &lt;input type="text" name="name" aria-hidden&gt; &lt;!-- Regular form fields here --&gt; `</span><span class="p">;</span> <span class="nx">shadowRootRef</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">form</span><span class="p">);</span> <span class="p">}</span> <span class="p">},</span> <span class="p">[]);</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">ref</span><span class="p">=</span><span class="si">{</span><span class="nx">formRef</span><span class="si">}</span><span class="p">&gt;&lt;/</span><span class="nt">div</span><span class="p">&gt;;</span> <span class="p">};</span> </code></pre> </div> <p>In this example, the form fields, including an anti-crawler honeypot field (<code>name="name"</code>), are encapsulated in the Shadow DOM, preventing external scripts from accessing or interacting with the form.</p> <h3> The Honeypot Technique </h3> <p>A honeypot is a hidden field added to a form, which humans can’t see but bots might fill out. If the field is filled, it indicates a likely bot interaction, and you can prevent the form submission. </p> <p>In this case, the field is hidden both visually (via <code>aria-hidden</code>) and through its encapsulation in the Shadow DOM:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="kd">const</span> <span class="nx">FIELD</span> <span class="o">=</span> <span class="p">{</span> <span class="na">HONEYPOT</span><span class="p">:</span> <span class="dl">"</span><span class="s2">name</span><span class="dl">"</span><span class="p">,</span> <span class="na">NAME</span><span class="p">:</span> <span class="dl">"</span><span class="s2">%</span><span class="dl">"</span><span class="p">,</span> <span class="na">EMAIL</span><span class="p">:</span> <span class="dl">"</span><span class="s2">@</span><span class="dl">"</span><span class="p">,</span> <span class="na">PASSWORD</span><span class="p">:</span> <span class="dl">"</span><span class="s2">$</span><span class="dl">"</span><span class="p">,</span> <span class="na">CONFIRM_PASSWORD</span><span class="p">:</span> <span class="dl">"</span><span class="s2">C</span><span class="dl">"</span><span class="p">,</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">handleFormSubmission</span><span class="p">(</span><span class="nx">formData</span><span class="p">:</span> <span class="nx">FormData</span><span class="p">,</span> <span class="nx">showError</span><span class="p">:</span> <span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">message</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="k">void</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">formData</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">FIELD</span><span class="p">.</span><span class="nx">HONEYPOT</span><span class="p">))</span> <span class="p">{</span> <span class="c1">// Prevent submission</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Continue with validation...</span> <span class="p">}</span> </code></pre> </div> <p>Here, <code>FIELD.HONEYPOT</code> represents a field that bots may fill in. If the field is filled, the form submission is blocked, preventing spam submissions.</p> <h3> Using Special Characters in Input Names </h3> <p>Many crawlers rely on identifying common field names such as <code>name</code>, <code>email</code>, and <code>password</code>. By using unconventional names like <code>@</code>, <code>%</code>, or <code>$</code>, you make it harder for crawlers to identify key fields.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="kd">const</span> <span class="nx">inputConfigs</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">%</span><span class="dl">"</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">text</span><span class="dl">"</span><span class="p">,</span> <span class="na">placeholder</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Name</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">@</span><span class="dl">"</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">email</span><span class="dl">"</span><span class="p">,</span> <span class="na">placeholder</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Email</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">$</span><span class="dl">"</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">password</span><span class="dl">"</span><span class="p">,</span> <span class="na">placeholder</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Password</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">C</span><span class="dl">"</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">password</span><span class="dl">"</span><span class="p">,</span> <span class="na">placeholder</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Confirm Password</span><span class="dl">"</span> <span class="p">},</span> <span class="p">];</span> </code></pre> </div> <p>Using non-standard input names reduces the likelihood of bots correctly filling in form fields, while still being fully functional for human users.</p> <h3> Why This Might Be Overkill for Most Sites </h3> <p>While combining Shadow DOM with honeypots and unconventional input names can improve security against automated form submissions, this level of defense is generally more suitable for high-risk environments. Many websites don’t need to go to these lengths because simpler anti-bot solutions, like CAPTCHAs or rate-limiting, are often effective.</p> <h3> Potential Side Effects </h3> <ul> <li> <strong>SEO Implications:</strong> Because elements inside Shadow DOM are hidden from the rest of the document, some search engines might not be able to index your content properly.</li> <li> <strong>User Experience:</strong> Over-complicating the form submission process might frustrate legitimate users or make the form inaccessible to certain browsers or assistive technologies.</li> </ul> <h3> Conclusion </h3> <p>Using the Shadow DOM, honeypots, and unconventional input names offers a robust, albeit niche, security approach to fend off form-submitting bots. These methods hide form fields from common crawling techniques and add extra layers of protection to ensure your forms are only submitted by humans. However, it’s important to weigh the benefits against the potential downsides and determine if this approach is truly necessary for your site.</p> <h3> Let's get our hands dirty </h3> <p>Next.js + TypeScript example repository: <a href="https://github.com/brinobruno/shadow-dom-react-next" rel="noopener noreferrer">https://github.com/brinobruno/shadow-dom-react-next</a><br> Next.js + TypeScript example deployment: <a href="https://shadow-dom-react-next.vercel.app/" rel="noopener noreferrer">https://shadow-dom-react-next.vercel.app/</a></p> <h3> References </h3> <p>here are some authoritative sources and references you could explore for deeper insights:</p> <h4> Shadow DOM Documentation: </h4> <p><a href="https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_shadow_DOM" rel="noopener noreferrer">MDN Web Docs: Shadow DOM</a><br> <a href="https://web.dev/articles/shadowdom-v1" rel="noopener noreferrer">Web Dev: Shadow DOM</a></p> <h4> FormData and XMLHttpRequest: </h4> <p><a href="https://developer.mozilla.org/en-US/docs/Web/API/FormData" rel="noopener noreferrer">MDN Web Docs: FormData</a><br> <a href="https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest" rel="noopener noreferrer">MDN Web Docs: XMLHttpRequest</a></p> <h4> Honeypot Technique: </h4> <p><a href="https://www.kaspersky.com/resource-center/threats/what-is-a-honeypot" rel="noopener noreferrer">Kaspersky: Honeypot Techniques</a></p> <h4> Cross-Site Request Forgery (CSRF): </h4> <p><a href="https://owasp.org/www-community/attacks/csrf" rel="noopener noreferrer">OWASP: Cross-Site Request Forgery (CSRF)</a></p> <h3> Let's connect </h3> <p>I'll share my relevant socials in case you want to connect:<br> <a href="https://github.com/brinobruno" rel="noopener noreferrer">Github</a><br> <a href="https://www.linkedin.com/in/brunociao/" rel="noopener noreferrer">LinkedIn</a><br> <a href="https://www.brunocorrea.dev/" rel="noopener noreferrer">Portfolio</a></p> webdev security nextjs tutorial