Can hackers impact information inside state?

Question

in my react application I calculate the price of the order in the back-end, and then transfer it to the state. But at the end, the paypal order amount is passed through the state. Which means, if a hacker can find a way to change the state to "$1", they can get the items cheaper.

This is just one case of me calculating stuff inside my state, and I was wondering if a scenario of hacker changing the state is possible.

One more case of me doing sensitive stuff with state : When a user tries to reset password and their ip is not blacklisted for too many tries, I transfer them to a page where they need to enter the pin-code that they received to their phone. If they enter invalid pin I increase the "failedTries" state and won't accept their submission if they have failed 3 times. This is done instead of going all the way to the db and storing their failed pin codes. If a hacker changes the state to 0, they can simply brute force the phone pin which is only 6 digit long.

Answer 1

I think you should save failedTries in database not in UI part, as calculated price.

You should get the protected content from a server, and this server should only deliver the content when the user sends a valid token.

This way, yes, anyone can flip the switch in the client, but that only shows the UI components, without any data.

This is the usual approach when creating single-page applications. As long as you don't have secret or sensitive data right in your client from the beginning, they are as safe as your server / API that delivers the data.