I'm currently working a nodejs app with flux and react. Specifically fluxible. For user authentication I'm using passport.js which simplifies the process of authenticating the user, creating a session, and authenticating the session. Once the session is verified, my server sends back a user object.
{ _id: foo, email: foo@bar.com }
Then my authentication store has a method IsLoggedIn to return whether the store has a user. However I realize this isn't secure as if the data on the store is manipulated, the stores would return isLoggedIn even when the user is not actually loggedIn. My current way of dealing with this is that when the user calls apis that require authentication, I check for authentication in the api call. So essentially if a malicious user messes with the flux store data, they could see actions meant for a logged in user/different components, but they wouldn't be able to actually modify anything. I'm planning to do the same for user admin privilege. My question is, is there a better way of dealing with this? (i.e. better way of not exposing data to the client)
No, there's no better way.
The client-side can always be manipulated by a malicious user and you can't trust it blindly: you always have to implement security on the server-side like you already do.