I have a simple login form which handles the changes to the username and password fields, so as soon as a user types anything in one of the form fields the data is saved in the redux store.
Now If I understand correctly the store is completely client side so registering whatever characters or input into the store is not a security risk.
So until the user actually hits submit and tries to send the login details to the server no validation is required.
Is that all correct or do I have it terribly wrong?
Your understanding is correct - redux store is only client side. So before the user has submitted anything, all his input information is saved only in the application state.
Now when the client submits you have several options, among which
1) Validate on the server
Second option comes into question if you use redux-form, which I recommend.
2) Validate on the client so that any incorrect input is not allowed to be submitted. redux-form provides you with a
callback to validate on the client so that user is only allowed to submit, when the input satisfies conditions defined in your
See an example here