How to secure client side of React + Redux + reactRouter app?

Andrey Rusev

I am building a react + redux + reactRouter app. I have an api that sends me a token after login, so I can secure my api, but I have frontend routes (like dashboards) that should be secured.

I have a login form that dispatches a login action.

.../actions/loginAction.js

axios.post('/api/auth', {
        email: email,
        password: password
    }).then(function (response) {
        dispatch({
            type: response.data.token ? types.LOGIN_SUCCESS : LOGIN_FAILED,
            email: email
        });
    }).catch(function (error) {
        dispatch({
            type: LOGIN_FAILED,
            error: error
        });
    });

and reducer

import * as types from '../actions/actionTypes';

let initialState = {
    email: '',
    isAuthenticated: false,
    authenticating: false,
    authError: false
};

export default (state = initialState, action) => {
    switch (action.type){
        case types.LOGIN_START:
            return Object.assign({}, state, {authenticating: true});
        case types.LOGIN_FAILED:
            return Object.assign({}, state, {authenticating: false, isAuthenticated: false, authError: action.error});
        case types.LOGIN_SUCCESS:
            return Object.assign({}, state, {
                authenticating: false,
                isAuthenticated: true,
                authError: false,
                email: action.email
            });
        default:
            return state;
    }
};

It works, but anyone can hack it and just edit the redux-stored value from the console, or dispatch the LOGIN_SUCCESS action, or even edit the js where it's validated, right? How to avoid it?

rich churchill

Dmitry 's comment is correct, but just expands on this: every request for non-public information should be resolved with some kind of permission check, which you can't do in the client. It's perfectly reasonable LOGIN_SUCCESSto take action , but its purpose is to inform routing and aspects of the UI. So you can switch routes based on actions like this, but when necessary, you should make sure that every part of your API interaction includes authentication and authorization.

So, for example, your "fake" user is routed to mysecretrouteafter spoofing their login , but all API interactions in that route will fail and they'll be dumped back to the login screen again. Of course, you certainly wouldn't rely solely on client state values isAuthenticatedto decide whether to expose sensitive data.

How to secure client side of React + Redux + reactRouter app?

Andrey Rusev I am building a react + redux + reactRouter app. I have an api that sends me a token after login, so I can secure my api, but I have frontend routes (like dashboards) that should be secured. I have a login form that dispatches a login action. .../

How to secure client side of React + Redux + reactRouter app?

How secure is Firebase Cloud Messaging on the client side?

Natesh Butter It is true that firebase provides client side sdk and server side admin sdk to use Firebase Cloud Messaging. What confuses me is: We include client-side initialization code in public javascript files or script tags. Does anyone not see this initi

How secure is Firebase Cloud Messaging on the client side?

How secure is client-side HTML sanitization?

PW Kad I've been looking at Pagedown.js lately in hopes of using mark-down on pages instead of ugly read-only textareas. I'm very cautious as it seems easy to trick a converted converter. I've seen some discussions about Angular.js and its html bindings, and h

How secure is client-side HTML sanitization?

PW Kad Lately I've been looking at Pagedown.js for the charm of using mark-down on pages instead of ugly read-only textareas. I'm very cautious as it seems easy to trick a converted converter. I've seen some discussions about Angular.js and its html bindings,

How secure is Firebase Cloud Messaging on the client side?

How secure is client-side HTML sanitization?

How to use Firebase Storage from client side React app?

xrd I'm trying to write a file to cloud storage from my React app. I created a new React app using the create-react-app tool. I believe I have followed the correct instructions to get the storage reference with the following code: this.storage = firebase.stora

How to use Firebase Storage from client side React app?

How to logically combine react-router and redux for client-side and server-side rendering

Jason Nerer I want my React based SPA to be server side rendered (not now). So I want to combine React with react-router , redux and some build layers like isomorphic starterkit . There is hapi generic redux that connects all of this together, but I'm struggli

How to logically combine react-router and redux for client-side and server-side rendering

How to use redux and graphql with apollo client in the same React app?

Sarah Galli I'm working on a project where I'm using apollo/client, graphql in react and for global state management I have to use redux. I'm pretty sure I'll have to process more data in my project, so I'll put it in my store. I want to know how to use apollo

How to make server-side requests in a client-side rendered React app?

Chris A I have a React application where I need to make some API calls that include the API token in the request headers. I don't care about rendering the whole app on the server side because I don't care about SEO, performance, etc, it's just a hobby app. The

How to secure client side of React + Redux + reactRouter app?

Related

How to secure client side of React + Redux + reactRouter app?

How to secure client side of React + Redux + reactRouter app?

How to secure client side of React + Redux + reactRouter app?

How to secure client side of React + Redux + reactRouter app?

How to secure client side of React + Redux + reactRouter app?

How to secure client side of React + Redux + reactRouter app?

How secure is Firebase Cloud Messaging on the client side?

How secure is Firebase Cloud Messaging on the client side?

How secure is client-side HTML sanitization?

How secure is client-side HTML sanitization?

How secure is Firebase Cloud Messaging on the client side?

How secure is client-side HTML sanitization?

How to use Firebase Storage from client side React app?

How to use Firebase Storage from client side React app?

How to use Firebase Storage from client side React app?

How to use Firebase Storage from client side React app?

How to use Firebase Storage from client side React app?

How to use Firebase Storage from client side React app?

How to use Firebase Storage from client side React app?

How to logically combine react-router and redux for client-side and server-side rendering

How to logically combine react-router and redux for client-side and server-side rendering

How to logically combine react-router and redux for client-side and server-side rendering

How to use redux and graphql with apollo client in the same React app?

How to make server-side requests in a client-side rendered React app?

How to make server-side requests in a client-side rendered React app?

How to make server-side requests in a client-side rendered React app?

How to make server-side requests in a client-side rendered React app?

How to make server-side requests in a client-side rendered React app?

How to make server-side requests in a client-side rendered React app?

Ranking