6:[["$","$Le",null,{}],["$","div",null,{"className":"min-h-screen bg-gray-100 p-6","children":[["$","$Lf",null,{}],["$","script",null,{"type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"{\"@context\":\"https://schema.org\",\"@type\":\"QAPage\",\"mainEntity\":{\"@type\":\"Question\",\"name\":\"Meteor.methods and security\",\"text\":\"

say I have a Meteor.method addCredits(user, amount), that add the specified amount of credits to the user account. Then what is stopping a potential hacker from just scanning the source code, find the method, and call it from the client console?

\\n\",\"author\":{\"@type\":\"Person\",\"name\":\"Tarlen\"},\"upvoteCount\":2,\"answerCount\":2,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"

Nothing is stopping a hacker from doing that. In the method, you must check that the user has done something that gives him the right to call the method.

\\n\",\"author\":{\"@type\":\"Person\",\"name\":\"Peppe L-G\"},\"upvoteCount\":0}}}"}}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mb-6 relative","children":[["$","div",null,{"className":"absolute top-4 right-4 flex flex-wrap space-x-2","children":[["$","span","security",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/security/1","children":"security"}]}],["$","span","methods",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/methods/1","children":"methods"}]}],["$","span","meteor",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/meteor/1","children":"meteor"}]}]]}],["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/b51e830c084ae1ffcc9914028e4c9a94?s=256&d=identicon&r=PG&f=y&so-version=2","alt":"Tarlen","className":"w-16 h-16 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/3287921/tarlen","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"Tarlen"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",3797]}]]}]]}],["$","h1",null,{"className":"text-2xl font-bold text-gray-800 mb-4","children":"Meteor.methods and security"}],["$","p",null,{"className":"text-gray-700 mt-4","dangerouslySetInnerHTML":{"__html":"

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm mt-4","children":[["$","p",null,{"children":["Upvotes: ",2]}],["$","p",null,{"children":["Views: ",79]}]]}]]}],["$","div",null,{"className":"container mx-auto","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-6","children":["Answers (",2,")"]}],[["$","div","25831080",{"className":"bg-white shadow-md rounded-lg p-6 mb-6","children":[["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://i.sstatic.net/rd5Rc.jpg?s=256","alt":"Peppe L-G","className":"w-12 h-12 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/2104665/peppe-l-g","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"Peppe L-G"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",8345]}]]}]]}],["$","p",null,{"className":"text-gray-700 mb-4","dangerouslySetInnerHTML":{"__html":"

Nothing is stopping a hacker from doing that. In the method, you must check that the user has done something that gives him the right to call the method.

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm","children":["$","p",null,{"children":["Upvotes: ",0]}]}]]}],["$","div","25830831",{"className":"bg-white shadow-md rounded-lg p-6 mb-6","children":[["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/2797e33afdc79bbc718f1e410570acc8?s=256&d=identicon&r=PG&f=y&so-version=2","alt":"user728291","className":"w-12 h-12 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/728291/user728291","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"user728291"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",4138]}]]}]]}],["$","p",null,{"className":"text-gray-700 mb-4","dangerouslySetInnerHTML":{"__html":"

Making sure users only execute methods they are allowed to is done by checking this.userId within the method on the server. That id gets set when the user logs in and is available in all methods. If no user is logged in this.userId equals null inside a method.

\n\n

Management of user account and associating the userId with a connection is handled by using the accounts system, such as using the packages 'accounts-base' and 'accounts-password'. The accounts system is documented here.

\n\n

this.userId is documented here.

\n\n

An example of how to restrict method execution is here.

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm","children":["$","p",null,{"children":["Upvotes: ",2]}]}]]}]]]}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mt-6","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-4","children":"Related Questions"}],["$","ul",null,{"className":"list-disc list-inside","children":[["$","li","50061896",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/50061896","className":"text-blue-600 hover:underline","children":"MeteorJS App Security"}]}],["$","li","35486973",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/35486973","className":"text-blue-600 hover:underline","children":"Making Vote System Secure Meteor.Methods"}]}],["$","li","32266548",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/32266548","className":"text-blue-600 hover:underline","children":"Meteor: How to prevent client from accessing methods"}]}],["$","li","26696591",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/26696591","className":"text-blue-600 hover:underline","children":"How is Meteor secure?"}]}],["$","li","26330804",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/26330804","className":"text-blue-600 hover:underline","children":"Safe Methods in Meteor"}]}],["$","li","29786144",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/29786144","className":"text-blue-600 hover:underline","children":"Meteor templates security"}]}],["$","li","29221214",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/29221214","className":"text-blue-600 hover:underline","children":"why would meteor be considered insecure?"}]}],["$","li","15261946",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/15261946","className":"text-blue-600 hover:underline","children":"Protecting data on the client"}]}],["$","li","21763431",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/21763431","className":"text-blue-600 hover:underline","children":"Security for Meteor methods while allowing server to run code too"}]}],["$","li","14666232",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/14666232","className":"text-blue-600 hover:underline","children":"Secure meteor admin functionality"}]}]]}]]}]]}],["$","$L11",null,{}],["$","$L12",null,{}],["$","$L13",null,{}],["$","$L14",null,{}],["$","$L15",null,{}]]

Meteor.methods and security

Answers (2)

Related Questions