0

Is client side authentication "like on SPAs" just a lie to prevent users who choose to believe it from trying to play with the data on the back end "which protected with real authentication"?

Because when we develop spa with ['vue, vue-router', 'react, react-router'] we do a layer of authentication that operates on client and client side data (stores, and localstorage) and since we ship all the code to the end user is that make the authentication code is just a lie and easy to find a way to hack around it?

"yes the API is protected because the data on the API is there on the API"

I am not saying that should we develop spa without authentication and protected routes, but does it work with users who know some js and have the curiosity to access our app UI "at least the ui"?

Jason Aller
  • 3,541
  • 28
  • 38
  • 38
Ibrahim Abdulbasit
  • 33
  • 4
  • 1
    This is discussed countless times. Everything that you do on client side isn't secure by design and can be tampered or stolen. If you send data to a browser that a user shouldn't see at all, you're doing something wrong – Estus Flask Sep 18 '22 at 10:03
  • So we have to live with it or do ssr ?.. thanks – Ibrahim Abdulbasit Sep 18 '22 at 10:12
  • It's unclear why you considered this a problem in the first place. Users could draw admin UI on a paper and imagine they hacked your site, but this won't make it true. It's the same situation. Seeing a home through a window isn't the same thing as breaking into it – Estus Flask Sep 18 '22 at 10:18
  • no no, i know that "the data" is the important thing. i was just doing authentication on a dashboard iam working in and i was thinking about how secure is what iam doing since the client will get all the code since its an SPA. thanks man for your help and time. – Ibrahim Abdulbasit Sep 18 '22 at 10:25
  • This may help: https://stackoverflow.com/a/69945576/8816585 – kissu Sep 18 '22 at 10:57

1 Answers1

0

In a sense, yes. When there is client-side logic that checks a user's role or authentication access, that is for the sake of usability rather than security and should be present only in addition to the actual secure checks on the backend.

For example, a well-structured SPA might choose to redirect a non-admin user away from a /admin page they are not supposed to access. This does not have anything to do with the actual security, it's just to avoid confusion and a seemingly-broken app when the actually-secure API endpoints called by that page inevitably return 403s.

Evan Summers
  • 942
  • 4
  • 13