how hackable are react apps? is state safe enough to have variables which dictate permissions of a user or should we be using db calls to determine if a user has access to a route when using something like react-router-dom? I don’t mean to skip having auth on routes to an api call I just wonder what the best practice is for actually getting to fronend routes within the react app its self?
React is just a JS library so it is no more safe or dangerous than any other web page.
I’m no expert here, but I would imagine that you do your authentication through the backend and that is how you determine their authorization. I wouldn’t worry about them hacking their way to some page that you don’t want them to see because any sensitive information should be retrieved from the backend and should be checking their credentials.