Reputation: 4693
Meteor: REST collection API and auth
In the need to expose part of my Meteor collections through REST, I stumbled across a the Collection API Meteorite package.
Whereas this indeed makes it possible to expose a Meteor Collection through REST, it does not take any security into account. Is there any way I can integrate the Collection API with the Meteor auth system introduced in 0.5.2?
Upvotes: 2
Views: 1563
Answers (2)
Reputation: 557
For anyone stumbling across this now, Restivus allows you to generate REST endpoints on collections, and configure user authentication and role permissions on those endpoints. The default authentication uses Meteor's built-in login token mechanism to authenticate a Meteor.user and provide access to this.user and this.userId in authenticated endpoints. You can also provide a custom authentication method if the default is too much, or not enough, for you. Here's a quick example (hope you can read CoffeeScript):
# Generates: GET, POST on /api/users and GET, DELETE on /api/users/:id for
# Meteor.users collection
Restivus.addCollection Meteor.users
excludedEndpoints: ['deleteAll', 'put']
routeOptions:
authRequired: true
endpoints:
post:
authRequired: false
delete:
roleRequired: 'admin'
Upvotes: 1
Reputation: 8928
Yes, kinda. Using the REST meteorite package, you can declare your collection and then use the allow rules on the collection, but with a couple caveats (NOTE: this is pseudo-code that requires more work!):
Players = new Meteor.Collection("players");
//a collection of associated userids and auth token headers
APIUsers = new Meteor.Collection("apiusers");
Players.allow({
insert: function (userId, doc) {
//invoking this from a RESTful context means the userId is NOT
//available, so you'll need to do three things things:
// (1) a way to get the current http request's X-Auth-Token header
// (2) a collection to look up the user(s) associated with
// that token
// (3) and an owner field on the Players collection to join back
// to the found userids.
return (_.indexOf(APIUsers.findOne(
{XAuthToken: __CURRENT_X_AUTH_TOKEN__}).users
, doc.owner) > -1;
},
update: function (userId, docs, fields, modifier) {
/* similar logic */
},
remove: function (userId, docs) {
/* similar logic */
},
fetch: ['owner']
});
BUT while I think the RESTful approach will prove useful in integrating legacy applications into a Meteor context, I would highly recommend looking into the DDP protocol for integration of new projects.
As you can see above, the allow rules do not expose a GET callback, presumably because the expectation is the GET is defined in the publication the server exposes. A DDP client is wired at a lower level to subscribe to these publications, so GETs in this context will be much more granular than a RESTful approach.
Upvotes: 3
Related Questions
- How to consume a REST api that needs username/password authentication in node.js
- User Auth in Meteor using an external API
- Meteor RESTful Authentication. Is it possible?
- Meteor REST API access
- Meteor basic HTTP authentication
- how to create a Rest API in Meteor
- Custom authentication in Meteor.js
- Meteor Collection.allow
- Meteor access tokens
- User auth without service in meteor js