[Next13 App dir] Bug with server-only being used in an API route handler

[KolbySisk]

Verify canary release

• I verified that the issue exists in the latest Next.js canary release

Provide environment information

Operating System:
  Platform: darwin
  Arch: arm64
  Version: Darwin Kernel Version 22.0.0: Mon Aug  1 06:32:20 PDT 2022; root:xnu-8792.0.207.0.6~26/RELEASE_ARM64_T6000
Binaries:
  Node: 16.15.0
  npm: 8.5.5
  Yarn: N/A
  pnpm: N/A
Relevant packages:
  next: 13.0.6
  eslint-config-next: 13.0.6
  react: 18.2.0
  react-dom: 18.2.0

Which area(s) of Next.js are affected? (leave empty if unsure)

App directory (appDir: true)

Link to reproduction - Issues with a link to complete (but minimal) reproduction code will be addressed faster

https://github.com/KolbySisk/next-server-only-bug

To Reproduce

1. Create a client component that makes a request to an api route (A form that posts data to an api route, for example)
   2.npm i server-only
2. Add import "server-only"; to the api route.
3. Run and make the request to the api route.

See error:

You're importing a component that needs server-only. That only works in a Server Component but one of its parents is marked with "use client", so it's a Client Component.

Describe the Bug

API routes are handled only on the server, so I would expect import "server-only"; to work fine.

More realistically, I have a function which includes sensitive information that I want to ensure only runs on the server. It can be used in both a server component, and an API route, given the context.

I'm also curious how Next even knows about the relationship between a client component and an API route handler.

Expected Behavior

Code is executed as expected without the error.

Which browser are you using? (if relevant)

No response

How are you deploying your application? (if relevant)

No response

_NEXT-1385

[Fredkiss3]

I think you don’t need to import server only in an api route. Since when used in a api route it is sure to only run on the server.

I think the problem is that server-only can only work and give you the correct errors if it used in a context of a component, and maybe NextJs confuse the api handler for a component when import server-only is used, I may be wrong though.

[HStromfelt]

I think there is still an issue with API routes wrongly being confused with client components. I have a function that uses:

import { cookies } from "next/headers";

and is used in an API route. The function should only be run by server-side code so this is ok, but NextJS thinks that the calling functions (API routes) are client-side:

./lib/getUser.js

You're importing a component that needs next/headers. That only works in a Server Component but one of its parents is marked with "use client", so it's a Client Component.

   ,----
 7 | import { cookies } from "next/headers";
   : ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   `----

One of these is marked as a client entry with "use client":
  lib/getUser.js
  pages/api/stripe/create-account.js

I can fix by adding import "server-only" to the api files but then I get the same error as @KolbySisk.

[Fredkiss3]

I think it is rightfully a bug, with NextJs confusing the api route as a client component, but I also think that these directives should fail, as you imported cookies which is a function you can only use in server components but not anywhere else, you’d have to use the request object in your api handler.

same thing for server-only which is supposed to be a guardrail when you import them from a react component (wether it is client or server one).

When you try to use them in a different context out of react (i.e api handlers) NextJs is lost and produces and generic incorrect error

[ayhanap]

I get the same error whenever I import import { cookies } from 'next/headers'; in middleware.ts. Or any other file imports 'next/headers'.

[Fredkiss3]

@ayhanap You can only import { cookies } from 'next/headers'; inside of server components not anywhere else.
In middleware or api handlers, you should use the request object.

[larsniet]

Same thing here.

When I run fetch within a "use client" (signup in this instance) page and use this server-side only import on the API's side:

// pages/api/auth/signup.ts
import { createServerClient } from "@utils/supabase-server";

It returns:

You're importing a component that needs next/headers. That only works in a Server Component but one of its parents is marked with "use client", so it's a Client Component.
   ,----
 1 | import { headers, cookies } from "next/headers";
   : ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   `----

One of these is marked as a client entry with "use client":
  src/utils/supabase-server.ts
  src/pages/api/auth/signup.ts

Even though I did not nest my API route within the "use client" page, it still thinks I did. My guess is that NextJS has some issues with combining API routes and the new App directory.

[boatilus]

A similar issue also manifests when importing anything into a server component from a module that also imports a module which imports certain client-only features, such as useReducer, including simple functions which, say, just return a string. That's a fairly long-winded and convoluted way of saying that this error message is the result of a false positive.

A simple repro is here. Attempting to build it results in the following error despite that the imported function does not require useReducer, even if a parent module imports it:

You're importing a component that needs useReducer. It only works in a Client Component but none of its parents are marked with "use client", so they're Server Components by default.

I encountered this error when upgrading from 13.0.2 to 13.0.3 in a project that uses Jotai. If one defines Jotai atoms in the same module as (as an example) related, but orthogonal, helper functions, then imports those helper functions into a server-only component, this error is raised.

A workaround was to split the helper functions into their own module, which at scale is probably an intractable solution.

[Fredkiss3]

@boatilus I think nextjs or more so react evaluate the components from top to bottom with imports firsts. But the logical reason i think is that when importing a package from a file, the bundler would have to include the package when compiling your file even if it is only used by different functions inside the file.
And when you import a function from that file within a server-component, you will end up with an undefined import (useReducer in your example), since the client only packages and functions are not included within server-components.

At scale i don't know why it would be problem, and if the helper functions could be used outside of the file which import them, it is not a bad idea to put them in a different file.

[boatilus]

That'd be the case if the import was not tree-shaken, yes. Please reference the repro.

In this case: the exported function does not rely on a client-only construct, as tree-shaking would omit the imported module with the useReducer import, and the error is therefore non-constructive in this particular case.

[logemann]

I also have this bug. Just creating a simple API route like this one:

import type { NextApiRequest, NextApiResponse } from 'next'
import { headers, cookies } from 'next/headers';

type Data = {
  name: string
}

export default function handler(
  req: NextApiRequest,
  res: NextApiResponse<Data>
) {
  console.log(headers);
  res.status(200).json({ name: 'John Doe' })
}

Error is this:

You're importing a component that needs next/headers. That only works in a Server Component but one of its parents is marked with "use client", so it's a Client Component.
...
One of these is marked as a client entry with "use client":
  pages/api/hello.ts

So NextJS treats this api route component as a client component?! In the beta docs there is no hint that API routes are not working with latest release so that i am still a bit unsure if this is really a bug.

NextJS v13.1.1

[Fredkiss3]

@logemann

You can only import { cookies } from 'next/headers'; inside of server components and not anywhere else.
In api handlers, you should use the req object with req.headers (I think) and req.cookies.

[jpreynat]

Same thing on my end.
I am using server-side logic code in a Server component with server-only, and it is working properly.
However, now I need to use the same logic in my API and my build is failing.

[m-foskett]

I am getting the same error as OP in a more complicated context but same issue of a call to API route handler from Client Component. I am using Next.js 13.2.4

Context:
I am using useSWR(key, fetcher) with some data as an argument in a Client Component.
The fetcher/helper function is marked server only as it is using getServerSession (from next-auth) to get current user which is then used to get an active API key from a database using PrismaClient. API key is then used to do an authorised fetch with the data to a local API endpoint.

If I don't mark this fetcher/helper server only, then my db lookup throws an error as PrismaClient can not run in the browser.

What is the suggested method to make a call with user-inputted data from a Client component to an API route handler in Next.JS 13?