CODEWITHSUNDEEP
meteorimportbuild
dthree
dthree

Reputation: 20730

Meteor build is importing server side code to client

My Meteor project has a server-side secret in the /imports directory that should not ever go to the client.

When viewing the source on a client, I noticed the file is in fact imported.

I searched my project directory and the only import this could have happened on contained this code in a file that is shared client / server:

if (Meteor.isServer) {
    import secret from '../imports/config/secret';
    // ...
}

I am guessing the build tool saw the import and merged it regardless.

Is there a way around this? I need to use the secret in this file, however only if Meteor is running server-side!

Note: Please don't answer telling me that all server-side keys, etc. should not publish with the build. It's not quite the same thing.

Upvotes: 0

Views: 341

Answers (1)

zim
zim

Reputation: 2386

the isServer constructs protects code from being run on the client, but it does not prevent those bytes from being served. you indicated the file itself is shared between client and server, and that's your issue.

you need to move that code to a file which is served only to the server. i.e. in a folder called "server", or a subfolder of that.

from https://guide.meteor.com/structure.html#special-directories :

Any directory named server/ is not loaded on the client. Similar to wrapping your code in if (Meteor.isServer) { ... }, except the client never even receives the code. Any sensitive code that you don’t want served to the client, such as code containing passwords or authentication mechanisms, should be kept in the server/ directory.

Upvotes: 3

Related Questions