Menu
Let's say I'm building an app using meteor.js where I just collect some simple form data from users. Maybe an answer to a simple question or something. They don't need to log in to submit data.
How can I protect my app from someone creating a js-loop in their Chrome Console that just inserts crap into my DB?
I can protect removal and updates by doing this:
Formanswers.allow({
insert: function () {
return true;
},
update: function () {
return false;
},
remove: function () {
return false;
},
});
And if the user was logged in (which as you remember is not the case in my app) I could timestamp each insert and check something like:
insert: function (userId, doc) {
if (userId && (Formanswers.findOnd({userid: userId, time: SOMETHING TIME SPECIFIC}).count() < 1)) return true;
},
So my question is: is there any other way of getting a unique userId-thing or IP-address or something for an anonymous (not logged in) user so I can do the above check on him as well?
Thanks!
699
You can use a meteorite package.
accounts-anonymous
https://github.com/tmeasday/meteor-accounts-anonymous
So you use
Meteor.loginAnonymously();
if the user visits your page for the first time, and use .allow to check what you need
138
To get the ip address, the observatory (https://github.com/jhoxray/observatory) project uses this:
in coffee:
Meteor.userIP = (uid)->
ret = {}
if uid?
s = ss for k, ss of Meteor.default_server.sessions when ss.userId is uid
if s
ret.forwardedFor = s.socket?.headers?['x-forwarded-for']
ret.remoteAddress = s.socket?.remoteAddress
ret
Which returns an object like { forwardedFor: '192.168.5.4', remoteAddress: '192.168.5.4' }
40
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
