CODEWITHSUNDEEP
meteor
trusktr
trusktr

Reputation: 45454

How is Meteor secure?

The docs suggest to use Meteor.methods to create methods that are secure.

Is it possible for a user to write code in a browser's console that will allow the user to circumvent security and send arbitrary data to the server database (MongoDB)? If not, why not?

Upvotes: 0

Views: 127

Answers (1)

David Weldon
David Weldon

Reputation: 64312

Yes, but only if the method fails to check its inputs and context. Fortunately, meteor provides the tools to make this task pretty straightforward. Let's look at an example method I used to answer this question. sendMessage is a method which lets a user send a message in a chat room:

Meteor.methods({
  sendMessage: function(message, roomId) {
    check(message, String);
    check(roomId, String);

    if (!this.user)
      throw new Meteor.Error(401, 'You must be logged in.');

    if (_.isEmpty(message))
      throw new Meteor.Error(403, 'Message must not be empty.');

    var room = Rooms.findOne(roomId);

    if (!room)
      throw new Meteor.Error(404, 'Room not found.');

    if (!_.contains(room.members, this.userId))
      throw new Meteor.Error(403, 'You are not in the room.');

    return Messages.insert({
      userId: this.userId,
      roomId: roomId,
      message: message
    });
  }
});

Here are the validations:

  • Ensure the inputs are of the correct type by using check (prevents injection attacks).
  • Ensure that the user is logged in (see the accounts api).
  • Ensure the message is well formed.
  • Ensure that the room exists.
  • Ensure that the current user is actually in the room.

Contrast this with a naive implementation of sendMessage:

Meteor.methods({
  sendMessage: function(message, roomId) {
    return Messages.insert({
      userId: this.userId,
      roomId: roomId,
      message: message
    });
  }
});

Here, any connected client could open a terminal and start injecting messages into any chat room. Worse yet, message could be an object and cause all sorts of unintended consequences for other clients.

There is no free lunch with security - you should validate everything and assume the worst. However, if you make the effort, you can in fact generate highly secure methods.

I'd strongly recommend having a look at Emily Stark's Meteor Meets Mallory talk where she covers these points in more detail.

Upvotes: 2

Related Questions