The short answer here is yes. As per the docs, client code (that executes in the browser) can be manipulated. Server code is secure. Hence you should always validate access (and data for that matter) on both the client and server. It looks like you already do this on the server.
I am not sure that there is a way to prevent access to form code … perhaps others have some options here.
I wonder if there could be a way to control access via a redirection to a secure app once the user has logged in ?
If you think about it though, you could probably build everything so that without server cooperation the forms would simply be a useless array of meaningless buttons.
What is your reason to prevent access to form code if there is no data provided? If you edit your code to manually bypass line 17’s check, what does the app look like?
I guess the question is as long as no data is provided (ie using the server to control what is presented) are the forms valuable?
As a side note, you could consider putting line 17 in a while loop to constantly represent the login form if login fails.
Something like:
while not anvil.users.get_user():
user = anvil.users.login_with_form(allow_cancel=False)
However this will override your ability for users to continue without logging in (apart from editing the form code).