I recently saw a video in which they used react with node/express at the back, to do role based authorization. In that, once a user is authenticated, his job role is passed as a response to the react front end, which is then stored in states and used to render pages accordingly. So, how safe is this approach? Is it possible for someone like a normal user to tamper with the response coming from the server and modify it to something like "admin". Or is there some other approach which is safer. Please help me out as I'm fairly new to these topics.
How safe is job role based authorization in react?
1k views Asked by Bichu Ben At
2
There are 2 answers
0
Someone Special
On
Rule Number 1 - Never trust anything from client side.
Whatever information passed on to client side is purely for display purpose.
Every modification on the backend should contains verification of data before it's being inserted/updated into database, or before it's being used for any purpose for an intended user.
A user may change the role to see a different UI, but the UI should never attempt to retrieve information that's not meant for the user, or to accept any input from that user, if the user is not the rightful user.
Related Questions in NODE.JS
- Using Puppeteer to scrape a public API only when the data changes
- How to request administrator rights?
- How do I link two models in mongoose?
- Variable inside a Variable, not updating
- Unable to Post Form Data to MongoDB because of picturepath
- Connection terminated unexpectedly while performing multi row insert using pg-promise
- Processing multiple forms in nodejs and postgresql
- Node.js Server + Socket.IO + Android Mobile Applicatoin XHR Polling Error...?
- How to change the Font Weight of a SelectValue component in React when a SelectItem is selected?
- My unban and ban commands arent showing when i put the slash
- how to make read only file/directory in Mac writable
- How can I outsource worker processes within a for loop?
- Get remote MKV file metadata using nodejs
- Adding google-profanity-words to web page
- Products aren't displayed after fetching data from mysql db (node.js & express)
Related Questions in REACTJS
- ussd reader in Recket Native module
- Teams tab application returns SSO error in mobile Outlook
- Github Pages Deployment deploys a blank page
- Is there any way to glow this bulb image like a real light bulb
- Optimize LCP ReactJs
- Page in React only renders elements after refreshing
- Unable to Post Form Data to MongoDB because of picturepath
- MERN Stack App - User Avatar Upload - 500 Error After Deployment on Render
- Hooks are not supported inside an async component error in nextjs project using useQuery
- How to change the Font Weight of a SelectValue component in React when a SelectItem is selected?
- On the server side, it returns undefined but on the client side, logs the values no problem
- Multilevel dropdown with checkboxes in Select component
- TypeScript Error only on big type only when assigned to a variable
- Deployment through app engine, cloud sql database, problem connecting with server code, doesn't connect
- Data is not filtering in props. Showing passdata.map is not a function
Related Questions in SECURITY
- HTTPS configuration in Spring Boot, server returning timeout
- HSM ZKA control mask values
- OWASP Amass Subcommands
- Is there a need for BPF Linux namespace?
- Error when trying to execute a binary compiled in a Kali Linux machine on an Ubuntu system
- When sanitize/encode while implementing tags system like on SO
- spring security version in spring-boot-starter-security
- I am currently trying to implement a rudimentary firewall from a video I watched but the nimda worm detection is not working and i do not know why?
- Is it possible for `sudo` to fail temporarily with the correct password? Hacking suspected
- Is it viable proxying all my mobile apps requests, to some kind knowing that a request is coming from a secure source
- What abilities should I concentrate on while bug hunting, and how can I improve the quality of my bug bounty reports?
- System.ArgumentOutOfRangeException: I passed this error in every single program
- How to prevent users from creating custom client apps?
- Does server-side content security policy exist for youtube video player API, app, mod apks and website?
- Can we pass a hostname/IP address as a query string in a GET request in REST API
Related Questions in ROLE-BASED-ACCESS-CONTROL
- OAuth access token attribute based reverse proxying of http ressources
- Is it possible to decide access level of Jenkins users where the login is through a group in Azure AD using SAML 2.0?
- GCP Monitoring Metrics Scope for RBAC
- Need help in integrating role-based access control with MSAL authentication in Spring Security
- Access Control for Google Cloud Logging
- Caller is not authorized to perform action on resource even though I have owner role on the Azure Key Vault and also subscription
- Access Control for Google Cloud Monitoring Dashboards
- Restrict credentials access using credentials domains in Jenkins
- Not able to give owner access from classic service administrator role
- How to Securely Differentiate Admin and User Roles with NextAuth and Next.js?
- Can I use policy based authorization to hide html elements from a user
- Method Not Getting Authorized in Spring Security despite Roles
- Open FGA Wildcard Relationship From Object to User
- Understanding Roles and Authorities in Spring Security
- Implementing customized Access Control using Spring Security and ACL
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Yes they can. React state is just JavaScript, and as a user they can always modify those state value in their browser.
This problem depends on how you secure in the server-side. User can always tamper with the request to server. It's server job to check for whether the request is valid or not. For example using JWT, when the request come to server, the server need to check whether the user is actually admin or not before performing any job.
In general, saving admin role or something similar in front-end usually for the sake of data displaying. You can always do some input checking before sending request to server, but VALIDATE REQUEST in server is a must