Modifying `logged_in` via the console.
Closed this issue · 1 comments
Hi, thanks for the demo. I'm trying to follow some of these patterns in my project. Quick question, what is to stop someone from just doing:
var app = require('app');
app.session.user.set('logged_in', true);in their console and gaining access to protected routes?
@SnidelyWhiplash good question. Nothing can stop a client from altering its state maliciously, which is why a client can ultimately never be trusted by the server in an API/RESTful setup. The server should always check the user session (a.k.a through a filter) before allowing access to protected routes. Simply setting 'logged_in' on the client will not provide a valid token (cookie) to the request, thus the client should not be recognized as authenticated by the server in this scenario. Let me know if that answers your question. Might be a good idea to implement an example protected route in the server to demonstrate....