On my website I have backend functions that check the validity of an email and password before registering a member. Now as the API also has a client side function that can be used to register a user directly I’m wondering if there could be a potential issue with my signup process.
If I don’t include anything about the register() function in my client-side code, is there a way that a tech-savvy individual could manipulate the browser code to still run this function without calling my backend function (in a way, just add a wixUsers.register() line into the site)? If so, then I don’t understand the point of having a backend equivalent, or is it literally just for when hooking into certain events?
If this is possible then it would also make it impossible to prevent signup spam via something like RECAPTCHA, so I hope it isn’t the case.
Would somebody be able to clear this up for me? Is there no way of me preventing someone calling wixUsers signup from their browser? Or have I misunderstood how client-side and server-side code works? Thanks.
I do not think anyone can add wixUsers.register() or any other function in this manner. However since this is a security question we should wait for Wix to reply to this.
Thanks for your reply, so what you are saying is that extra API calls like that can’t be added to client-side code directly? I assumed that it would be just as easy as modifying the local JavaScript, in that case are API functions like that not exposed to the browser unless called in the code, almost like an extra layer?
In that case would the only way something like that could be run is if I had it already in my code surrounded by some if statements for checks, that way somebody could remove those checks?
Also for Wix to reply to this would I have to submit a ticket or will someone likely see this question on the forum? Thanks again.
I just thought I’d give an update, the Wix support team also said this wasn’t possible however when testing it myself it was really easy and it turns out all the Velo modules are just under obfuscated names. Does this not mean that anybody can spam things like registrations and reset emails no matter what backend code is put into place as it can simply be swapped out?