Home > Mobile >  is client side authentication "like on SPAs" just a lie to prevent users who choose to bel
is client side authentication "like on SPAs" just a lie to prevent users who choose to bel

Time:09-19

Is client side authentication "like on SPAs" just a lie to prevent users who choose to believe it from trying to play with the data on the back end "which protected with real authentication"?

Because when we develop spa with ['vue, vue-router', 'react, react-router'] we do a layer of authentication that operates on client and client side data (stores, and localstorage) and since we ship all the code to the end user is that make the authentication code is just a lie and easy to find a way to hack around it?

"yes the API is protected because the data on the API is there on the API"

I am not saying that should we develop spa without authentication and protected routes, but does it work with users who know some js and have the curiosity to access our app UI "at least the ui"?

CodePudding user response:

In a sense, yes. When there is client-side logic that checks a user's role or authentication access, that is for the sake of usability rather than security and should be present only in addition to the actual secure checks on the backend.

For example, a well-structured SPA might choose to redirect a non-admin user away from a /admin page they are not supposed to access. This does not have anything to do with the actual security, it's just to avoid confusion and a seemingly-broken app when the actually-secure API endpoints called by that page inevitably return 403s.

  • Related