Handling of sensitive information from the front end
Hello, I am new in front end, now I am trying to make some components, that are shown/hidden depending on the role of the user, if it is admin I want them to see the button and the administration component that is rendered when clicking, but I am thinking that if I save the role in localstorage and a user changes the role of member by admin, he could see the button, then the component could not, because it makes a get request to the backend and this if it verifies in a jwt that is not admin, but meanwhile he can see this part of admin without being admin. I was implementing cookies http only for the request, I'm still in that, and I entered that doubt, how could I protect and pass information to the backen decoded, without the user can modify it, if someone would have the patience to explain how to handle this, if it is only by local or session storage, or there is a more secure way, I will be very grateful, thank you very much.
2 Replies
in general my approach to this stuff is it's fine that clever users can figure out what your admin UI looks like. As long as they can't actually use it because none of the actions will go through for them on the backend. It would be very difficult to provide admin capabilities in a web app without exposing the code for those capabilities to all users. Best you can do is probably just make it harder for users to discover
Thank you very much for your answer marcus, now I understood, my doubt was that, if I was doing it in an insecure way by letting him see that kind of information in the browser and in this way manipulate the app, like taking the role or the session token, but I understand that just for that is the developer console, it is okay to see that information, also all views have requests to the backend, so there would be no problems then