Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What security mechanisms does Meteor have? [closed]

We all know that Meteor offers the miniMongo driver which seamlessly allows the client to access the persistent layer (MongoDB).

If any client can access the persistent API how does one secure his application?

What are the security mechanisms that Meteor provides and in what context should they be used?

like image 822
Olivier Refalo Avatar asked Apr 11 '12 04:04

Olivier Refalo


2 Answers

When you create a app using meteor command, by default the app includes the following packages:

  • AUTOPUBLISH
  • INSECURE

Together, these mimic the effect of each client having full read/write access to the server's database. These are useful prototyping tools (development purposes only), but typically not appropriate for production applications. When you're ready for production release, just remove these packages.

To add more, Meteor supports Facebook / Twitter / and Much More packages to handle authentication, and the coolest is the Accounts-UI package

like image 173
Murali Ramakrishnan Avatar answered Oct 17 '22 14:10

Murali Ramakrishnan


In the collections doc says:

Currently the client is given full write access to the collection. They can execute arbitrary Mongo update commands. Once we build authentication, you will be able to limit the client's direct access to insert, update, and remove. We are also considering validators and other ORM-like functionality.

like image 22
pomber Avatar answered Oct 17 '22 13:10

pomber