Reputation: 6018

Disable Meteor.user() details on browser console

Is there a way to disable the details within Meteor.user() on Browser console in production mode?

Below is the snapshot of what I see when I deploy my code in production. This is very insecure as far as client details are concerned.

Upvotes: 0

Answers (3)

Afif Sohaili

Reputation: 246

You do not want to use the profile field on a Meteor.users document, since that is always published to the client.

See here: https://guide.meteor.com/accounts.html#dont-use-profile

What I would suggest is to move all the sensitive data from the profile field and into the top-level key of the users document.

if (Meteor.isServer) {
  // with document:
  // Document {
  //   _id: '123',
  //   services: { /* */ },
  //   profile: { /* */ },
  //   subscription: { /* */ }
  // }

  Meteor.publish('users.subscriptions', function(userId) {
    return Users.find({ _id: userId }, { fields: { subscription: 1 }})
  })
}

if (Meteor.isClient) {
  Template.home.onCreated(function() {
    this.autorun(() => {
      console.log(Meteor.user().subscription) // `undefined` at this point
      this.subscribe('users.subscriptions', Meteor.userId(), function() {
        console.log(Meteor.user().subscription) // returns user's subscription
      })
    })
  })
}

You can make use of libraries such as percolate:migrations to migrate the data to top-level key.

meteor add percolate:migrations

And then:

// server/migrations/1-move-all-profile-info-to-top-level.js
import _ from 'meteor/underscore'

Migrations.add({
  version: 1,
  up: function() {
    _.each(Meteor.users.find().fetch(), function(user) {
      Meteor.update(user._id, {
        $set: {
          subscription: user.profile.subscription,
          // other fields that needs migrating
          profile: null // empty out the profile field
        }
      })
    })
  }
})

Meteor.startup(() => {
  Migrations.migrateTo('latest')
})

Upvotes: 0