I'm concerned about how to use different roles in a React app. Let's say a user tries to login and send username, password to the server. If the user is logged in he/she will have different roles in the application, like admin, user, etc.
{
"_id" : 8937493874398,
"role" : "user"
}
Is it safe to save this in a Flux store? Can the role be changed by a user in javascript console or something like that?
What is the proper way of handling this? We want to hide parts of the application from users that has role : user and allow things for role : admin
No it’s not "safe". Everything you send/store on the client side can be accessed and modified.
You could have the login functionality separated from the React App. So after the user logs in using a standard request/response setup, you can return React components based on the user’s authentication level on the server.