Reputation: 1059
Is vuex state changeable via DevTools?
I store the user info in vuex, like {username: 'aa', role: 'admin'}, roles: admin/user. admin can do anything.
So I'm wondering if user can change his role to admin via Chrome Devtools? Is saving data to vuex safe?
Upvotes: 4
Views: 932
Answers (2)
Reputation: 13926
No, Vuex isn't "secure", in the sense that you can't assume anything in it hasn't been tampered with. However, the point of such a role flag is only to help decide whether the user should be able to access protected routes or otherwise see things in the UI that only admin users should see. If it's changed in the client, the only effect should be your frontend looking broken because it's trying to load and display admin things it doesn't actually have access to.
Your actual security mechanism in this situation is a token that you store in localStorage, a cookie or other mechanism, and send along with every request you make, so that the backend can actually verify whether you're authorized to access that resource or not.
In short, the server shouldn't allow admin access just because the Vue client claims to be an admin user; the server should identify and authenticate the client, and only allow requests that the user is authorized for.
Upvotes: 3
Reputation: 333
Vue Devtools are only accessible in development mode, so if you deploy your app to production it wouldn't be available. Consequently, it's absolutely safe.
Upvotes: 1
Related Questions
- Do Vuex actions have to modify or use the store state?
- vuex - is it possible to directly change state, even if not recommended?
- Vuex and dynamic states. Is possible?
- VueJs - Vuex - Change a state
- Using Vuex State in main js
- Mutate Vuex state directly without using mutations
- Use vuex state in Vuetify.js plugin
- Update State in Vuex?
- How can I update state in vuex ? vue.js 2
- Changing the state of Vuex variable directly from template