Hi @asi,
I usually protect the PWA with setting a boolean on the user. For example you can set an action when visiting the screen and also a visibility condition on the most sensitive components to add an extra layer of security.
I am dealing with an app that has bank accounts and invoices and I have same security issue.
As an example, if user is not marked as logged-in, it is then redirected to a 404 screen.
There was also another suggestion by @Victor I believe in checking if email existed. Can’t remember in which topic now, need to check or he can give more details .
The following steps came to my mind for protecting the entire app:
Remove the sign-up page to prevent uninvited guests from signing-up to the app.
Mark all known users as logged-in by setting Logged-in = true as a new property in the Users database.
Make all pages have a Link action to the log-in page.
Make the action happen if Logged In User > Logged-in is false.
If it works as expected:
An uninvited guest tries to enter the app.
The page tries to get a Logged-in property of the guest.
The page judges Logged-in = false for the guest because the guest is not even in the Users database.
The Link action of the page redirects the guest to the log-in page.
If my understanding is correct:
The point is, pages can identify a visitor is a known user or an uninvited guest just by trying to get a logged-in property.
This identification may be accomplished by trying to get an E-mail property and checking whether it contains “@”. However, it leads to unwanted redirection of users without an E-mail property. That’s why we need to add Logged-in property with the same value “true” for all users .
Please confirm if my understanding is correct.
Thanks.