(no title)

imo it's easier to spot the authn/authz issue here

export default function handler( req: NextApiRequest, res: NextApiResponse<ResponseData> ) { // updating user details without authn/authz }

than here

"use server"

export async function updateUser(email: string, age: number) { // updating user details without authn/authz }

without having read any next docs. engineers got trained to consider authn/authz the moment they see "http route/endpoint", maybe being more explicit about what happens in the api would help?

or next could provide an authn api for server actions that authn providers would implement?