How to prevent Meteor.call from calling JavaScript console?

Question

How to prevent Meteor.call from calling JavaScript console?

I just noticed that Meteor.call , a concept that prevents the user from calling the insert, insert, update, delete method, can still be called from the JavaScript console.

For an example client:

 // client ... Meteor.call('insertProduct', productInfo); ...

Here is the server part:

 // server Meteor.methods({ insertProduct: function( productInfo ){ Product.insert(...); } })

OK, I know that people cannot reference Product.insert () directly from their JavaScript console.

But if they try a little more, they will find there Meteor.call() in client-side JavaScript from the resource tab of the developer tool.

So now they can try to call Meteor.call from their console, and then try to guess what productInfo should be.

So wondering how we can prevent this final action? Does Meteor.call work well enough? or am i missing something important?

+5

javascript meteor

Teerasej Feb 01 '16 at 2:17

source share

5 answers

Stephen woods · Answer 1 · 2016-02-01T02:55:34+0000

Meteor.call is a global function, like window.alert() . Unfortunately, you cannot do anything to prevent the user from calling Meteor.call. However, you can check the data schema and the actual data about what the user is sending. I would recommend https://github.com/aldeed/meteor-simple-schema (aldeed: simple-schema as the name of the meteor package) so that you don't get garbage data in your project.

S. Francis · Answer 2 · 2016-04-27T01:51:28+0000

As others have pointed out, Meteor.call can certainly be used from the console. The subtle issue here is that there may be a legitimate user of the meteorite application, which in turn can do bad things on the server. Therefore, even if you check on the server if the user is legal, this alone does not guarantee that the data is protected.

This is not a problem only with the Meteor. I think that all such applications will have to potentially protect their data from corruption, even through legitimate users.

One way to protect this distortion is to use IIFE (Expression Exited Function Expression)

Wrap your module in IIFE. A personal variable is stored inside the lock, in which a unique key of use time (k1) is stored. This key should be placed there using a different route — perhaps by ensuring that the collection observer is launched in the client at startup. Other strategies can be used here. The idea is for the protein in the k1 value from the server and put it in a private variable

Then each time you call Meteor.call from within the code, pass k1 as one of the parameters. The server, in turn, checks to see if k1 is legitimate for this browser connection.

Since k1 was stored inside a private variable in the closure that was called by IIFE, it would be difficult for someone in the browser console to determine the value of k1. Therefore, although "Meteor.call" can indeed be called from the browser console, this does not harm. This approach should be a pretty good deterrent for data corruption.

ko0stik · Answer 3 · 2016-02-01T17:50:28+0000

As @Faysal mentioned, you have several ways to ensure that your calls are legitimate. An easy step for this is to implement alanning:roles and perform a role check from your method as follows:

 Meteor.methods({ methodName: function() { if (!Roles.userIsInRole(this.userId, 'admin')) { throw new Meteor.Error(403, 'not authorized); } else { yourcode });

Thus, only user users can call the method.

Note that you can also check this.connection inside the method and determine if the call comes from the server ( this.connection === false ) or from the client.

In general, doing checks and manipulating data from your methods is a good way. Allow / Deny is nice to start from the beginning, but it becomes very difficult to maintain when your collections get heavier and your edge extensions expand.

thatgibbyguy · Answer 4 · 2016-02-01T03:25:54+0000

You cannot block Meteor.call from the console, just as you cannot block CollectionName.find().count() from the console. These are global functions in a meteor.

But there are simple steps you can take to protect your methods.

Use aldeed:simple-schema to set the data types that your collection can accept. This will allow you to set certain keys that your collection will accept, as well as their type (string, boolean, array, object, integer) https://github.com/aldeed/meteor-simple-schema
Make sure that only registered users can update your method. Or set global Allow / Deny rules. https://www.meteor.com/tutorials/blaze/security-with-methods && & &&& & & https://www.discovermeteor.com/blog/allow-deny-a-security-primer/
Remove insecure and autopublish

A simple combination of scheme and allow / deny should make you just fine.

Faysal ahmed · Answer 5 · 2016-02-01T05:03:12+0000

As you already know, you cannot block the call to Meteor.call from the Javascript console, which I would like to add as a suggestion with @Stephen and @thatgibbyguy, that be sure to check your role user when adding documents to the collection. Simple-Schema helps you prevent garbage data from being inserted / updated into the collection. and alanning:roles , of course, makes your application secure by controlling who has permission to write / read / update your collection documents.

Alanning Role Packs

How to prevent Meteor.call from calling JavaScript console?

More articles: