skip to Main Content

I have a general question about user authentication and authorization with auth providers such as AWS cognito, Firebase or auth0. As per their documentations, is it safe to authorize the resources at the client-side (ex. React, React-native, angular, Vue etc.) as below?;

if(isAuthenticated){   //From AWS Cognito/Amplify/Firebase/Auth0 etc.
  getSensitiveData().  //From a different database/server
}

Since an attacker can alter the client code to remove the ‘if’ statement (as this is a client-side code), I hope this is not safe. However, if this logic was at the server (with php/Next-auth/express and passportJS etc.), it wouldn’t be an issue.

2

Answers


  1. Since an attacker can alter the client code to remove the ‘if’ statement (as this is a client-side code), I hope this is not safe

    It is not "safe" in that there is nothing stopping the client from doing whatever it wants with the data it has access to.

    However, if this logic was at the server (with php/Next-auth/express and passportJS etc.), it wouldn’t be an issue.

    That’s correct. The only secure way to control access to data is to check user permissions on your backend using data they can’t control.

    Login or Signup to reply.
  2. It’s not safe, but it still serves a purpose. If you know that the backend will reject the call, you can spare the client the effort to do the call. You can also hide GUI elements that will not show any content anyways, like an admin console for a regular user.

    Thus, this piece of code is common and useful, but must always be complemented with a backend protection.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search