Protecting static site data

Hey I was wondering if It's possible to protect a hard coded react / html site. If the site source code can be read / modified by users. What Is the purpose of making login forms with email / pass if it can be bypassed easily (by people that know smth about web)? Is there any way to not let users see a hard coded site?
28 Replies
Neto
Neto•2y ago
with next, you can use middlewares
WOLG
WOLGOP•2y ago
Lets say we have a react site that on a home page shows form that sends a request to our server and if the user is authenticated we set a global state user to our returned data. Then the user can access protected pages. But still can't a person just modify our source code to disable this protected routes / set user global state manually and see the protected pages? Kinda newbie question 😄
Neto
Neto•2y ago
you will have to secure on the server part of the application pure react cant (client side only)
WOLG
WOLGOP•2y ago
And how would I do that
barry
barry•2y ago
only send secure stuff after authorizing the user?
Brendonovich
Brendonovich•2y ago
In a traditional React app, the code that is served to the browser is simply a vehicle to retrieve and display data from another place (your API). Unless you're putting protected information inside your site's source code, the source code for your site doesn't really need to be private. The real protection occurs on the server that is serving the protected data. It will usually use some sort of authentication to verify that whoever is requesting data from it is allowed to do so. The software running there should be much more protected, since it is the real barrier between malicious users and confidential data. When authoring websites, a common practice is to assume the person accessing the site is always malicious. They'll always be able to get their hands on website code, and so there shouldn't be anything confidential in there unless you're protecting it on the server side before sending it over (this happens in the case of server rendered stuff).
WOLG
WOLGOP•2y ago
Okey so I guess there is not really a way to protect a data that is just hard coded into my react code and all the confidential data should be stored in my backend and served to authenticated users and then the page should be hydrated with this data
Brendonovich
Brendonovich•2y ago
You could hard code the data into your react code, you'd just need to make sure you have code running on your server that checks the user's authorization for that data, and only serve that site if they've got permission
WOLG
WOLGOP•2y ago
Ah And am I able to do this via vercel for example?
barry
barry•2y ago
no relation
Brendonovich
Brendonovich•2y ago
As Neto said, you can use middleware to do so on Vercel, but what framework are you using?
WOLG
WOLGOP•2y ago
So let's say I request a https://mywebsite.com with a JWT in Authorization header and if its accepted by my backend then the react site is serverd otherwise there is an error Thats what u meant?
Brendonovich
Brendonovich•2y ago
Yeah u could do that, seems risky though
barry
barry•2y ago
jwt â›”
WOLG
WOLGOP•2y ago
well session and cookie then ;D
barry
barry•2y ago
no httponly cookie
Brendonovich
Brendonovich•2y ago
jwt is fine, doing the auth on the page load rather than an api call is sus What protected data does your react code contain?
WOLG
WOLGOP•2y ago
Atm none but It would contain company specific data like charts etc that woudn't be downloaded from the server / db just hard coded into react
Brendonovich
Brendonovich•2y ago
oh? seems a bit odd to hardcode them
WOLG
WOLGOP•2y ago
Yea It does heh Anyways How would I do this through next middleware To serve a specific page to authenticated users
barry
barry•2y ago
start by looking into middleware is my tip
Brendonovich
Brendonovich•2y ago
i haven't had enough experience with middleware to say tbh, the docs should point u in the right direction
WOLG
WOLGOP•2y ago
Well It looks like I'd just have to return 401 status code instaed of serving a page seems easy
Brendonovich
Brendonovich•2y ago
While I'm here I'll mention why I think putting pages themselves behind auth is not desirable: Your app will probably need an API at some point for dynamic content, at which point you'll need a second auth system that operates on API routes rather than middleware. Now you've got two auth implementations, what fun. You're also mixing trust levels for each page - some React code is public and can be served to anyone (login page), but some must be protected. Idk about you but that makes me nervous, I'd much rather all my React code be public and lock specifically my private data behind an authenticated endpoint. Much clearer separation of concerns imo.
WOLG
WOLGOP•2y ago
Yeah I think the same way. Much better option would be to create a separate backend and download confidential data from the server while serving empty not hydrated react pages But the whole Idea of protecting certain pages on a server level felt interesting to me Will take a deeper look at next middlewares thanks
Brendonovich
Brendonovich•2y ago
This approach wouldn't even be hard with your next app, just serve the private data from /pages/api and fetch it in your pages
WOLG
WOLGOP•2y ago
Yeah I will consider those 2 options anyway thanks It seems so much cleaner for me
Brendonovich
Brendonovich•2y ago
happy to help!
Want results from more Discord servers?
Add your server