I think the issue is that the client code is running actual database queries on the server, and I don't see any restrictions on what queries can be executed.

So if you log in and authenticate (through that file), it seems like you can just open the javascript console in chrome and run any type of db query you want.

DB queries are validated through a whitelist on the server, so it should be impossible to run an unauthorized query when it's locked down. E.g. https://github.com/mikemintz/react-rethinkdb/blob/master/exa...