Storing sensitive data in Vuex

Question

To summarize, we are using Vue on the front-end and Hapi JS on the back-end. The front end uses MSAL.js to authenticate users and then passes an access token to the back-end. The access token is decoded with hapi-auth-jwt2 and the validate() function returns { isValid: true, credentials : { ps_ref: 12345, md_userid: asfasgsg@5874.com }}. This object is then passed to the handler function of a route which extracts authentication groups/user roles (i.e.Auids) from our DB and user data and returns that.

Imagine that the user object looks like this:

{
  Auids: (4) ["user", "webadmin", "accounts"]
  md_clock: 5678
  md_picture: "./images/"
  ps_fname1: "Test Name"
  ps_surname: "Test Surname"
  psname: "Test Name Test Surname"
  psref: 125125
}

Now, we would like to store this object in Vuex, however, we are concerned that it will be visible to anybody who has installed the Vue Devtools in their browser or anybody who executes something like rootElementOfApp.__vue__.$store

Our questions are:

1. How easy it is for somebody to access the Vuex in production?

2. If it is easy enough to access Vuex by the public, is Vuex the best way to store this object? If we go for Vuex should we encode the user object or at least the Auids in it ?

Answer 1

Everything you store in the js/html/cookies is not save on it's own. But it is all related how you will manage it. Basically you can store almost everything in the front end, as long it isn't sensitive data that's usable for ethical hacking. Things like addresses, contract numbers, bank accounts etc.

Data like userIds (as long only used for programmatic reasons) or a user roles can be stored in the front end. But if you do it right you always have every client side validation also in your back-end application.

In terms of dev tools of vue they are only available in development mode not production. But a good hacker doesn't mind.