React Bundle exposes all pages/endpoints code without auth?
I've done a lot of legacy and vanilla frontend stuff, but I'm new to React and somewhat SPAs. I've watched the intro to react v9 from Brian Holt on FrontendMasters, and auth wasnt discussed.
So now as I'm trying to apply my new skills to a legacy coldfusion codebase (all SSR, almost no JS anywhere), I tried to start by recreating the header/navbar component, to which I realized its a bunch of role based access to even render those links in the first place.
So I've tried chatting with copilot and GPT and google searching, but I dont entirely know what to search and what answers to believe. So I'm trusting that maybe the React Gods here can clarify what is 'good' and 'bad' behavior.
My findings seem to indicate that its 'good' to just include the entire bundle for any user, and then conditionally render/link those restricted things. That we dont care if they look through the bundle to find any endpoints or features that they shouldnt be able to? That as long as your APIs have correct auth, who cares if they can see the endpoint exists?
And then I think, what if someone just tries to go to "/admin" so tanstack router would try and load that. There seems to be a few ways to confgure it to not route those, but is that preferred?
And maybe it depends on the entire stack, like i was planning to have spring boot API backend/monolith with the built bundle in resources/static, so no React running on the server.
This compared with the SSR doing somethin like
if (user.canAccessFoo()): <a href="/foo">foo</a> and an unpriviledged user wouldnt have the slightest clue of foo's existence0 Replies