How to store and use sensitive data in ReactJS

Question

I am doing a Website 100% in ReactJS, It's a simple/medium complex, this has a Login, Profile and other sections more. After Users Log into the site the login callback returns some important values like: "Token, UserRole". Currently I'm storing these values in Web client using localStorage .

My doubt is the next: There is a better way to store this values? Because if any person changes the value from the Browser Console this could be a BIG ISSUE because they could change the role and then execute things that they never should do.

I thought to do it with Redux, but if the users Refresh the website then they lost the values, so I am not pretty sure to choose this.

What do you think guys?

TIA!

Answer 1

The general rule is to never trust any data stored client-side, except for an authentication token or the equivalent. All changes that the user makes that involves the server should be verified on the server. So, rather than:

if any person changes the value from the Browser Console this could be a BIG ISSUE because they could change the role and then execute things that they never should do

Instead, the right thing to do would be, when the client wants to do something (such as edit their profile), have the client send their authentication token (or session ID) with the rest of the payload to your server. Have your server examine the token, check that the user associated with the token actually does have the required permissions for what they want to do, and only then continue to process the request.

Whether you also happen to store some information in Redux or elsewhere has no impact.

Storing login-related information client-side is relatively common and isn't inherently bad - just make sure to always verify it on the server when something that requires permissions is requested.

One approach some use is for the server to create an encrypted JWT that only the server can decode, which gets sent with requests.