How can I secure roles passed to react?

Question

I have a question about passing role data to react. I can either pass from the server via global var, or make a rest API call from the client, but either way I get back an array of permissions for a user. As an example:

Permissions: ['ALLOW_X', 'ALLOW_Y']

What's stopping someone from opening dev tools in the browser and setting a break-point and adding 'ALLOW_Z' to that array?

Is there a good way to pass the data to the client side and have it be tamper resistant (at least)? I know I can re-check permissions on the server to avoid saving something, but what about admin level UI items that regular users should not be able to see? Am I limited to putting all of that on a separate page and just blocking the route by role?

Seems I'm missing something here. Thoughts? Thanks, Jeff

Answer 1

What's stopping someone from opening dev tools in the browser and setting a break-point and adding 'ALLOW_Z' to that array?

Nothing.

Once your javascript/data has left your server, you have to assume it's contaminated and modified by the user.

ALL auth operations must be conducted on the server.

You'd normally maintain a session key with the server, and you'd check that session key(also known as token) is still valid.

Edit:
You shouldn't care if users see "special admin sections", as all their functionality would not work(all server API calls would fail, so the user can't delete, edit, or create any data)