flat wasp
I am to understand that any user information in the browser is hackable.
the reason i as is that my api returns a user.profile.role value which is based on an enumerated object [USER, ADMIN] in the database. I am trying to restrict access to /admin routes.
i store the user.profile object in the Pinia user store. I want to prevent hacks. is it better to make another api call to get the role? Thoughts?
quasi glen
@flat wasp as far as u have backend/api side of protection nothing to be worried about
Never trust data from client
any client related code can be manipulated with
also API should be making API call internall if u dont already have access to the data on the API
and API is deciding what to do
not based on what is sent to the API
those type of info is critical and u should never read directly from incomming source