#Will mounting an action keep parameters from being seen by the world?

When mounting an action in Filament PHP, are the arguments exposed to the browser (and potentially visible to a user inspecting the data) or are they strictly processed on the backend, ensuring they are not publicly visible?

Source : https://github.com/filamentphp/filament/blob/e5778290382f0ba8e37657cf541884d2a2f2785b/packages/actions/src/Concerns/InteractsWithActions.php#L159

This is the method in question:

public function mountAction(string $name, array $arguments = []): mixed

Example of a call that I'd like to keep the data private on:

$this->mountAction('mySuperDuperAction', [
    'first_name' => 'Clark',
    'last_name' => 'Kent',
    'secret_identity' => 'Superman',
    'social_security_number' => 'krypton-123-4567',
    'secret_crush' => 'Lex Luthor',
]);

Do you need the data on the front end? If you do then there’s not much you can do about it.

I don't need the data on the front end. I just need it to process some stuff on the backend.

Ok. So then just don’t include the data in the arguments. Instead make the arguments something like an id that could be used in the ->action() callback to get the data again if you need it for further processing.

But, to answer your question. Anything included in the livewire properties will be exposed on the front end. But there are ways to prevent that. Check the livewire docs.

https://livewire.laravel.com/docs/properties#security-concerns

Is $this->mountedActionsArguments the best way to get that data or is there a better way?

It will work, just don’t pass arguments / data you don’t want exposed.

So if I wanted something secret (e.g., Clark's secret identity), the ideal way is to add the #[Locked] attribute?

Oh, wait. That seems like it prevents it from being manipulated, but is still exposed.

Yes, but actions themselves aren’t livewire components. So they will only expose what you provide to them. But an action can have a view that is a livewire component. So, it really depends on exactly what your are trying to accomplish and how you are accomplishing it.

Thank you so much for this conversation. It's really helpful.

As a follow up, would encrypting data be considered a bad practice? For example, if I want to pass Superman's secret identity as a public variable, but encrypt it when I call the action and then subsequently decrypt it when I need it?

Action::make($this->name)
    // Other stuff
    ->action(function ()  {
        $this->secretIdentity = Crypt::encryptString('Clark Kent');
        $this->mountAction('kryptonAction');
    })

I posed this question to Chat GPT out of curiosity, and it responded as follows:

2. Use Laravel's Encryption for Sensitive Data

If you must send some sensitive data from the client to the server, you can encrypt it using Laravel's encryption facilities (Crypt facade). Here's how you can do that:

• Before passing the argument, encrypt it on the server:

use Illuminate\Support\Facades\Crypt;

$encryptedData = Crypt::encrypt($sensitiveData);
$this->mountAction('someAction', ['encryptedData' => $encryptedData]);

• In your action handler, decrypt the data:

public function someAction($encryptedData)
{
$sensitiveData = Crypt::decrypt($encryptedData);
}