CODEWITHSUNDEEP
meteor
Mabeh Al-Zuq Yadeek
Mabeh Al-Zuq Yadeek

Reputation: 84

Source code viewable in Chrome JS console

Haven't found an answer to this anywhere, so I'll try SO...

When I run my Meteor app on localhost and navigate to me Chrome JS console and under the "Sources" tab, I can see the entire source code of my code in my lib folder.

I put most of my code in the lib folder of my meteor app because it's necessary that the code loads before anything else in order for everything in my client templates to render correctly. I've placed it in the lib folder every since I started building the app months ago.

Anyway, is the source code going to be viewable like this if the app goes into production without the insecure package? Or will I be forced to move the code over to the client and re-configure my entire script?

Upvotes: 0

Views: 478

Answers (3)

Michel Floyd
Michel Floyd

Reputation: 20246

  1. Put server code you want to hide from the client under /server
  2. Put code that needs to run on both client and server under /lib
  3. Put client-only code under /client
  4. Do not put secrets (ex: auth keys) in any code. Use environment variables or a config.json file.
  5. The insecure and autopublish packages have nothing to do with javascript code visibility, only with collection data.

As @Kyll said, all your client and lib code will be minified and concatenated into one giant file and visible to all clients. js can be de-minified but that won't restore the original variable names or any comments of course. An attacker can step through your client code, save it, and generally reverse-engineer it at will. That doesn't mean it's easy.

You may find these resources helpful.

Upvotes: 2

Azaruddin Sherif
Azaruddin Sherif

Reputation: 33

Insecure when present helps you in accessing the db from the client without restrictions. (console interactions).

when removed it will revoke all access that client might be having to db and the only way to do interactions with the db would be with the help of Meteor Methods and Calls.

You may also need to remove autopublish and replace the same with Meteor.Publish and Meteor Subscribe.

Please review the below links for more info https://www.meteor.com/tutorials/blaze/security-with-methods https://www.meteor.com/tutorials/blaze/publish-and-subscribe

Hope this Helps

Upvotes: 0

ericvrp
ericvrp

Reputation: 11

Users will always be able to see all client side code through the console which is why anything security related should be server side only. I would just split it up into the server and client directory and server/lib and client/lib if needed.

Upvotes: 0

Related Questions