Reputation: 17486
Meteor's source code open to the clients?
From a general glimpse of it, it seems that source code for Meteor app is open to the clients due to 'Write one Javascript file, run it on client and server at once' theme.
If server side source code of particular app open to client sides, wouldn't it be easy for random person to copy them and create very look alike app?
Wouldn't it be easy for person with evil purpose to find security holes in the app, because its server side code is open to the public?
For instance, in Meteor 0.5.0 's new example of parties app, model.js file seems to be sent to the client side as well.
Am I misunderstanding something here?
Edit
Here is the part that I do not understand.
According to http://docs.meteor.com/#structuringyourapp,
Files outside the client and server subdirectories are loaded on both the client and the server! That's the place for model definitions and other functions
I really do not understand it. If every model implementation, (including DB interaction) is sent to client, wouldn't app be less secure and easily copied by other developers?
Upvotes: 12
Views: 1875
Answers (2)
Reputation: 11870
The best way to secure a client-server app is by writing explicit security checks on the server, rather than hiding the database update logic from the client.
For a longer explanation of the security model, see https://stackoverflow.com/a/13334986/791538.
Upvotes: 1
Reputation: 3037
Any code in the server/ folder will not get sent to the client (see http://docs.meteor.com/#structuringyourapp)
EDIT
Regarding the second part:
Any code not in client/ or server/ is code you want to run both client and server side. So obviously it must be sent to the client.
The reason that you would place model code in there is because of latency compensation. If you want to make updates to your data, it's best to do it immediately client-side and then run the same code server side to 'commit' it for real. There are many examples where this would make sense.
If there is 'secret' model code that you don't want to run client side, you can certainly have a second server/models.js file.
Upvotes: 9
Related Questions
- Hosting Meteor Application
- How to hide meteor server-side code from browser?
- Is it possible to write node JS code in meteor 1.3 client side?
- Meteor: are code inside Meteor.isServer block readable from client?
- Meteor client modify code
- Source code viewable in Chrome JS console
- How to allow users to modify source code files on the server using the browser (Meteor app)
- Meteor: what code goes on the client side and server side?
- Is Meteor backend code always available on client-side?
- How Meteor works, Client vs Server?