data leakage with SvelteKit global variables and stores

- [[SvelteKit security issues]], [[prevent data leakage in SvelteKit]] # Idea When you create a store, it becomes a global object on the server in [[server-side rendering]] environments. This object will exist outside the scope of an individual request and persists for the lifetime of the server process. Importantly, your store is a [[singleton pattern|singleton]] in memory server-side. That is, there is only a single instance of that object in memory on the server. Thus, this singleton is shared across all HTTP requests hitting your server from different users. A store is contextual to each instance of your app. See article: [State Management in SvelteKit](https://blog.aakashgoplani.in/avoid-shared-state-on-the-server-in-sveltekit) ![[20240814093127.png]] We need to [[prevent data leakage in SvelteKit]]. ```js // store.js import { writable } from 'svelte/store'; export const count = writable(0); // export it ``` In a client-side only application, each user would have their own instance of this store, so it works fine. However, in [[server-side rendering|SSR]]: - user A increments the counter to 5 - user B then loads the page - user B might see the counter at 5, not 0, because the store is shared ## Implications Data Persistence: Data in the store persists between different user requests. This can lead to unintended data sharing between users. State Management Challenges: It becomes crucial to manage the store's state carefully to avoid leaking information between different users' sessions. Potential Security Risks: Sensitive user data stored in these global stores could potentially be exposed to other users. Performance Considerations: While sharing a single instance can be memory-efficient, it may lead to concurrency issues under high load. Inconsistent Behavior: The behavior of the application might differ between server-side and client-side rendering, leading to inconsistencies. # References - [Svelte Makes Global State Easy Using Stores](https://joyofcode.xyz/svelte-stores-guide#using-stores-on-the-server) - [State management • Docs • SvelteKit](https://kit.svelte.dev/docs/state-management) - [Sharing a global variable across multiple requests is unsafe in SSR · sveltejs/kit · Discussion #4339 · GitHub](https://github.com/sveltejs/kit/discussions/4339) - [Using a Svelte store in the load function causes weird behavior · Issue #2213 · sveltejs/kit · GitHub](https://github.com/sveltejs/kit/issues/2213#issuecomment-1013771504) - https://www.youtube.com/watch?v=EyDV5XLfagg - https://www.youtube.com/watch?v=MBSYHW50xb8&t=1832s - [Safe SvelteKit Stores for SSR - DEV Community](https://dev.to/brendanmatkin/safe-sveltekit-stores-for-ssr-5a0h#stores-with-context) - [Discord](https://discord.com/channels/457912077277855764/1107384981921210418) - [Safe SvelteKit Stores for SSR - DEV Community](https://dev.to/brendanmatkin/safe-sveltekit-stores-for-ssr-5a0h) - [Global Stores Are Dangerous - YouTube](https://www.youtube.com/watch?v=EyDV5XLfagg) (great runes + context + class tutorial)