Continue Discussion 17 replies
May '16

rdagger

With regard to rate limiting methods, why not retrieve the method names from exports:

const LISTS_METHODS = _.chain(exports)
  .keys()
  .reject((k)=> { return k.startsWith('__') })
  .value();

instead of hard coding them:

const LISTS_METHODS = _.pluck([
  insert,
  makePublic,
  makePrivate,
  updateName,
  remove,
], 'name');

Then you don’t have to remember to update the rate limiting section when you add and remove methods.

1 reply
May '16 ▶ rdagger

sashko MDG Staff

That sounds pretty neat! It’s a bit of a hack though, maybe there’s a better way? Perhaps this is a good start. @tmeasday what do you think?

1 reply
May '16 ▶ sashko

tmeasday

I think that snippet relies on export being implemented in terms of module.exports, which doesn’t seem particularly safe in the face of future alternate implementations. Is there a better way?

May '16

rdagger

Methods could have rate limiting by default like accounts.

May '16

rdagger

There’s a bug in my code above. It incorrectly passes the name of the method variable instead of the the value of the name key. It should be:

    const LISTS_METHODS = _.chain(exports)
      .pluck('name')
      .reject(k=> k == undefined)
      .value();
May '16

rdagger

What I ended up doing for now was placing the DDP rate limiting code only in server/register-api.js. When naming my methods I use the format collection.methods.name. For example: lists.methods.insert. This allows me to filter them out from the other method handlers. Here’s an example register-api.js:

import { DDPRateLimiter } from 'meteor/ddp-rate-limiter';
import '../../api/lists/methods';
import '../../api/todos/methods';

const THROTTLE_METHODS = _.chain(Meteor.server.method_handlers)
  .keys()
  .filter(k=> k.includes('.methods.'))
  .value();
DDPRateLimiter.addRule({
  name(name) {
    return _.contains(THROTTLE_METHODS, name);
  },
  // Rate limit per connection ID
  connectionId() { return true; },
}, 5, 1000);

Now when I add new method modules or edit existing ones I don’t have to worry about rate limiting.

1 reply
May '16

tim17

Regarding the section “secret server code”: How am I supposed to import the secret file containing the implementation of updateWithSecretAlgorithm() only from server code? Since the imports are static and top-level only, both the server and the client code will eventually import this file. Or am I missing something?

2 replies
May '16 ▶ tim17

sashko MDG Staff

You should use “require” directly, since as you noticed you can only use “import” at the top level.

1 reply
May '16

trajano

I just posted a suggestion regarding how to secure server methods

Jul '16

rdagger

The guides SSL section has a bad link:
See the help article about SSL on Galaxy.

The galaxy guide Let’s Encrypt section shows a Generate Certificate button that is supposed to set up SSL in 1 click. I don’t see that button in my Galaxy control panel. I just see a button to upload a certificate.

1 reply