> if you don’t think about the security of it.

This is big brain energy. Why bother needing to make yet another round trip request when you can just defer that nonsense to the client!

No one would ever hack my app!

I’ve seen banks where the OTP code is generated on the client and then sent to the server.

Smacks of vibe coding

I don't think a language model is that stupid. This smacks of pure human stupidity and/or offshoring.

But LLMs are that stupid. Do you remember that guy who vibe coded a cheating tool for interviews and who literally leaked all his api keys/secrets to GitHub because neither him nor a LLM didn't know better?

Fair enough. Since it's trained on human stupidity, I suppose it would reflect that stupidity as well.

Is that the same guy who had his degree revoked for creating a cheating tool for interviews and is now a millionaire for creating a cheating tool for interviews?

Could be. Somewhere else in these comments someone was saying they found evidence that the app was coded that way.

But they also said it was a project by two students. And I could absolutely see students (or even normal developers) who aren’t used to thinking about security make that mistake. It is a very obvious way to implement it.

In retrospect I know that my senior project had some giant security issues. There were more things to look out for than I knew about at that time.