benmccallum
commented
6 years ago Kinda worrying but I've been thinking more about this. I guess as a developer you need to be aware that any content in .vue files is essentially rolled up into JS bundles for each page. It's part of your client-side app, and should be treated as insecure by the very nature of being a client-side delivered app.
As such, in a real-world situation you wouldn't have secure user content directly as static HTML in your components, rather be calling a server-side API to retrieve it which would be secured with the same JWT.
The only case I can think against this is devs using 'generate' for a static site with some static member-only content that shouldn't be accessible, but I guess the deal is that a static, SPA isn't suitable for that scenario.
Hi,
Looking at the live demo, I'm able to fetch https://auth0.nuxtjs.org/_nuxt/4.nuxt.bundle.44ee0eecf0cba54387c9.js without having signed into Auth0 (I'm not sure if the actual URL will change but basically this file contains the content of secret page).
I've only just heard about Nuxt.js so I might be missing something, but it seems to me like you're only doing client-side authentication in this example? Is this by design? I would argue that this not secure at all.
Could you update the example to include how to protect the end-point (/_nuxt/4.nuxt.bundle.44ee0eecf0cba54387c9.js) against unauthorized requests?
I also had a look at https://nuxtjs.org/examples/auth-routes/. Unfortunately, it suffers from the same issues - I am able to fetch https://nuxt-auth-routes.glitch.me/_nuxt/1.nuxt.bundle.js without being authenticated.
Thanks