2

Apollo 2.0 allows user to manage the application global state via apollo-link-state by using the browser's cache. I know it is a common pattern in Redux to have a variable isAuthenticated in the global store to restrict access (and to my understanding this is not saved in the cache).

My question is: is it dangerous to have a state isAuthenticated saved in the cache using apollo-link-state? Can the user not simply modify the state of isAuthenticated and be granted access to the site? Should I therefore avoid using isAuthenticated as a global variable in Apollo Client?

William
  • 600
  • 5
  • 14
  • 2
    It doesn't matter where you save `isAuthenticated` as long as you check on the backend if the user really is authenticated if he/she requests anything. Client side cannot be trusted exactly because the user can control anything if they try hard enough. So if you verify every request from the client, with a token for example, it really doesn't matter if they manually changed a variable, they simple won't get any restricted content. Unless they really have access to valid credentials. – Tal Z Feb 19 '18 at 22:39

1 Answers1

0

As @tal-z said: Never trust the client

Markus
  • 1,598
  • 2
  • 13
  • 32