0

I know this has been discussed several times but I am still lacking the information, how easily someone can mess with your authentication logic on the client side.

So this is my understanding of how the authentication works roughly when using client side rendering:

  • ask user to provide login credentials

  • make an http call sending the credentials to some api server

  • api server checks database for match

  • if no record has been found api server returns isAuthenticated = false to client

and here the fun begins.

To be more precise let's look at the code below:

const isAuthenticated = false

router.beforeEach(async (to, from) => {
  if (
    // make sure the user is authenticated
    !isAuthenticated &&
    // ❗️ Avoid an infinite redirect
    to.name !== 'Login'
  ) {
    // redirect the user to the login page
    return { name: 'Login' }
  }
})

Now, can a bad guy just set the isAuthenticated flag to true and skip the login process? I do understand that there won't be any data available,just an empty template but I am curious if isAuthenticated is defined as a const variable is it still possible to change its value in devTools and mess around?

What are good practices here in general? Is CSR any good for web projects including login pages?

Improve this question
2
  • "is it still possible to change its value in devTools and mess around" - yes. There's nothing secure on client side. A user can temper anything on their side. Unless server side gives away protected data without auth, setting isAuthenticated = true isn't supposed to do anything useful Commented May 5, 2024 at 8:19
  • You got it totally right. Not sure about any kind of OWASP securities, you could use this nuxt module for that but overall, your app is the most public and hackable thing that will ever be (because it's a SPA). But it's not a big deal because what's important is the data in your database, so an empty shell will do nothing. You could always use a global error catcher and redirect the person to an empty page if any HTTP call fails but it's quite some work for not a lot of benefits and might introduce extra bugs down the road. Commented May 5, 2024 at 8:59
Related questions
2
Best practices to sync the client side vuex state to the server side state?
1
Is it possible to use the beforeEnter navigation guard in Vue Router to redirect the user?
1
vue server side rendering and data population
Load 4 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.