Hi there msd5079,
You have a really good start here, however your intuition here is right in regards to localStorage tampering. Users can tamper with localStorage values, setting loggedIn to true. Instead, use a more secure method such as session tokens.
Upon a successful login, generate a session token and store it in a secure cookie. This makes it less accessible to JavaScript running in the browser. Then validate the token on each request to ensure the user is authenticated.