Reputation: 3682
How tamper proof and secure is the client side Meteor.users collection?
If you turn autopublish off. How tamper proof and secure is the client side Meteor.users collection?
My experiments have shown it to be tamper proof. I have tried client side scripting on the console to insert, update and remove and get 403 errors.
For example you can try this, use one of your users collection ids and then $push something or $set something. You can also try remove and inserts too.
Meteor.users.update({_id: "72277b27-3a53-4aa3-82b7-fb096060a8dc"}, {$set: {foo:'bar'}})
or
Meteor.users.insert({this:'that'})
or
Meteor.users.remove({_id: "72277b27-3a53-4aa3-82b7-fb096060a8dc"})
and you should get a 403 on all of these.
But how tamper proof and secure is it?
Thanks Steeve
Upvotes: 1
Views: 562
Answers (1)
Reputation: 27600
Seeing as Meteor.users is fresh on the auth branch and not part of an official release, I'd consider it bleeding-edge with the possibility of bugs (which you should report if you find, by the way).
That being said, it appears to be designed with the goal of being tamper-proof and secure, given that it's part of an authentication system.
Upvotes: 1
Related Questions
- MeteorJS App Security
- Can unauthorized people read the database from the client side in meteorjs?
- How secure are Meteor client side DB requests?
- Updating Meteor.users from client
- How secure are client-side collections in Meteor?
- Protecting data on the client
- Simple user checking in meteor, is this secure?
- How do you secure the client side MongoDB API?
- Meteor JS - Collections (mongodb) can be changed by any visitor (Not secure)
- Right way of accessing Meteor.users from the client