Search code examples
javascriptnode.jsdatetimewebsecuritysecure-coding

Is it Safe to Compare Subscription-Expiration-Date & Current-Date on the Client Side? Or can this be manipulated?

I get some data back from the backend, which tells me the expiration date of the user subscription. If this date is in the past, I navigate the user somewhere else, so she can't log in:

  if (expirationDate.getTime() < new Date().getTime()) {
      navigate('/subscription-expired')
  }

I am wondering whether it's safe to do a check like this comparison on the client? Can this be manipulated?

Solution

  • The Benefits of checking data, validating data and other stuff on the Client side is:

    • to alert a regular user that he/she is not on a good path (user informed of her subscription expiration). (result: user experience)
    • reduce The server Load. when preventing The regular Users from sending invalid data to server. (regular users wont send additional data to server when they found out their subscription has been expired) (result: resource saving and performance)

    but checking on the Server side is an Obligation, since there are non-regular users (whos modifies Js, posting data with Postman, bots, intruders ) which may send Http requests without intervention and validation of your client-side code could abuse your system.

    Client side is the battle field of enemy

    To summarize:

    you have to validate data on server side in order to prevent any abusing.

    but its recommended to validate data on the client side too to improve performance of the whole system.

    for example in your case:

    • on server-side :

      • check for expiration-time =>
      • if it has been expired =>
      • return 403 error with: {message:"expired"}

    • on client-side :

      • if it got 403 error with {message:"expired"}. =>
      • redirect user.