It seems like everything that is in variables as well as whatever is used for the OIDC connection is available in the browser and can be seen and exposed in the browser.
How do you use weweb and especially variables that include sensitive data (tokens or even just group member for RBAC) in a secure manner? Right now it seems like it’s pretty much an open door from a security perspective
variables are exposed its normal for web development this post explains more. If you have something that needs to be secret use backend functions and supabase secrets for example to do that.
There’s a bunch of other posts around that go into more detail on security as well. Pretty sure weweb has a video on it themselves actually
The biggest problem is the OIDC plugin, since it’s relying on the auth cookie, which you can easily manipulate. So all the RBAC provided by weweb goes down the drain.
If it would be immutable, it would fix the issue, but this also doesn’t seem to be the case
If you change anything in the jwt ie the cookie when you go to fetch from your database it will fail because the JWT signature is wrong.