This is completely normal.
But
Well, no, not ideally. Ideally they are getting the information from a server somewhere. If the endpoint [for the resource that is protected] requires authorisation, then if the user has not authorized, then you 403 for the request for information. How you handle it front end is up to you. You might allow them to access the route but show an error message instead, or you wrap that route component in a function that checks first, or you might not show a link to that route in the first place by saying ifAuthorised && <Route ....>
If you are just hiding the information on the front end by hard-coding everything, then sure, there will be an easy way a user can bypass the security. As an example of an app that has a trivially bypassed security measure, see Mediumâs paywall â if I am logged in, I get a maximum of 3 paid articles for free a month. If I open it in incognito & donât log in, I can bypass that. If youâre hard-coding this stuff, then thereâs nothing you can realistically do to protect it â the user has literally downloaded everything already. This isnât a React/RR thing, youâre just giving the user everything so . Code splitting isnât a security technique, itâs for optimising speed
Then you donât allow access to the app unless a user is logged in. React and React Router arenât some special case here. Just have a login screen, and if login fails thatâs all they can see. If the rest of the app is dependent on a server API, then the rest of the app wonât work without it and the fact they can access all the code is not relevant, they would need to know all the API responses to be able to make it work.
A React app is a single HTML page, the request for the app has already succeeded if the app is open in the browser.
If you want to make a request on every route, then do that â the components are literally just functions, you should be able to wrap them in another function that does a check and return the if it succeeds, or you can add handling logic into the components that the Routes render.
Just to stress this: you cannot have what is considered a secure app just using browser JS without some secured backend. The data that requires authorisation has to be somewhere else, not bundled in that JS code. You can obfuscate and hide things, but thatâs not security.