#tomek8755
jagged patrolBOT
Hello! We'll be with you shortly. Below are links to other discussions we've had with you in the past week in case you want to review that information. If your question is related to one of these previous discussions, please provide a comprehensive summary of the current state and what you need help with now. We help many users simultaneously, so a summary allows us to resolve your issue as soon as possible.
- tomek8755, 21 hours ago, 5 messages
- tomek8755-pricing-table, 5 days ago, 18 messages
- tomek-checkout-basics, 5 days ago, 54 messages
- tomek-checkout-intro, 5 days ago, 16 messages
- tomek-netlify, 5 days ago, 22 messages
- tomek8755, 5 days ago, 9 messages
tawdry estuary
hi. Hmm, but then can't I just open my browser devtools, edit my localStorage to have the values you expect me to have, and then I have access to your site for free?
gaunt condor
yep, but this could be improved
for example
if Stripe assignes unique user ID per user, then you could just store the userID in the localstorage, and make call to Stripe API on the app load, verify with Stripe whether the user is subscribed, and then store the subscribed state in JS variable, and then based on that allow the premium content or no
tawdry estuary
I can get the ID of a user who has paid, put that in my localStorage, annd get access.
gaunt condor
yep
tawdry estuary
I would say in general it's a basic principle of web-dev to not trust the client(https://cheatsheetseries.owasp.org/cheatsheets/Mobile_Application_Security_Cheat_Sheet.html#1-dont-trust-the-client) , it's expected that you have some form of backend for managing users and access to a site that is trying to control access.
up to you how you implement your own site of course but that's my opinion.
gaunt condor
so this is considering that the UserIDs or some user identifiers generated by Stripe are hard to guess
tawdry estuary
so this is considering that the UserIDs or some user identifiers generated by St...
we wouldn't make that guarantee and we generally consider our object IDs (the IDs themselves) to be public and that they don't need to be protected since the expected integration is that the ID is useless to someone who doesn't have a secret key to be able to retrieve the object and check it.