Meteor: what code goes on the client side and server side?

Question

I just don't know exactly what I should put on the server side and what on the client side. I understand that the templates goes on the client side. But what about the javascript code? Can you give me an example of some code going on the server side?

Answer 1

Here is an example for a collection: Declare, publish and subscribe to it.

Server and client (any directory except private, client, or server, don't use public for that too), declare the collection:

Rocks = new Meteor.Collection('rocks');

Server-side (server directory or in a Meteor.isServer condition) ,publish the collection:

Meteor.publish('allRocks', function()
{
    return Rocks.find();
}

Client-side (client directory or in a Meteor.isClient condition), subscribe to the publication:

Meteor.subscribe('allRocks');

You can find a lot of examples in the documentation or in this blog (Discover Meteor).

Edit: For more precision according to OP's question... All code is shared by default (executed by both the server and the client). However, files in the server and private directory will never be sent to the client.

Answer 2

You can write all your business logic and complex database operations in your server side code. Typically the code you don't want to serve to the client.

For example.

Method calls

# client-side
Template.post.events({
  "click #add-post": function(e) {
    var post, post_object;
    post = $("#post-message").val().trim();
    post_object = {
      user_id: Meteor.userId(),
      post: post
    };
    Meteor.call("create_post", post_object,(function(error, response) {
      if(error){
        ..do something           
      }else{
        .. do something else        
      });
    );       
  }
});

# server-side
Meteor.methods({
  create_post: function(post_object) {
    return Posts.insert(post_object);
  }
});

publish / subscribe

# common
Posts = new Mongo.Collection("posts");

# client-side
Meteor.subscribe("posts");

# server-side
Meteor.publish("posts", function(limit) {
  return Posts.find({
    user_id: this.userId
  });
});

Html, css and Template managers should go into the client-side code. Meteor methods and publishers should go into the server-side code. Read more about structuring the app and data security in official docs.

Answer 3

You use Meteor.isClient and Meteor.isServer to load the code in the proper place.

Using the folder:

• server - goes to the server duh!
• client - goes to the client duh!
• both - shared code

Everything that is placed outside client or server, is loaded on both places.

When you create Meteor package you've to add manually the files and specify where it should be loaded, example:

api.add_files(['my-packages.js', 'another-file.js'], 'client');
api.add_files(['server/methods.js'], 'server');

On this example althouhg you have a server folder, it doesn't mean that it be placed in the server, in the package scenario.

Something you've code that is going to run on the client and server but some functionalities might only be present at server or client.

Example:

ImageManager = {
  uploadImageToAmazonS3 : function(){
    if(Meteor.isServer){
      //your code goes here
      //YOU DON'T WANT TO SEND YOUR AMAZON PRIVATE KEY TO THE CLIENT
      //BAD THINGS CAN HAPPEN LIKE A HUGE BILL

      var amazonCredentials = Config.amazon.secretKey;
    }
    else{
      throw new Error("You can't call this on the client.");
    }
  }
}

This a scenario where you can add functions that the client can do like: resizeImage, cropImage, etc and the server can also do this, this is shared code. Send a Private API KEY to the client is out of question but this file will be shared by the server and client.

Documentation: http://docs.meteor.com/#/basic/Meteor-isServer

According to the documentation this doesn't prevent the code from being sent to client, it simply won't run.

With this approach an attack knows how things work at the server and might try an attack vector based on the code that you sent to the him.

The best option here is extend the ImageManager only on the server. On the client this function shouldn't even exist or you can simply add a function throwing an error: "Not available".

Answer 4

1. if create a directory named client that goes only to client.

2. if you create a directory named server that goes only to server.

3. every thing else you code goes to client and server both. (even if you use Meteor.isServer check)

you can read more about directory structure here.