Meteor Guide: Security

sashko · March 18, 2016, 12:36am

This is the comment thread for an article in the Meteor Guide.

Read the article: http://guide.meteor.com/security.html

The comment thread for each article appears at the very bottom of the page. Use this thread to post:

Interesting articles related to the content
New ways to do things that aren’t covered in the Guide
Suggestions for Guide improvements

Or anything else related to this topic that people could find useful!

rdagger · May 7, 2016, 1:34am

With regard to rate limiting methods, why not retrieve the method names from exports:

const LISTS_METHODS = _.chain(exports)
  .keys()
  .reject((k)=> { return k.startsWith('__') })
  .value();

instead of hard coding them:

const LISTS_METHODS = _.pluck([
  insert,
  makePublic,
  makePrivate,
  updateName,
  remove,
], 'name');

Then you don’t have to remember to update the rate limiting section when you add and remove methods.

sashko · May 7, 2016, 2:17am

That sounds pretty neat! It’s a bit of a hack though, maybe there’s a better way? Perhaps this is a good start. @tmeasday what do you think?

tmeasday · May 7, 2016, 5:03am

I think that snippet relies on export being implemented in terms of module.exports, which doesn’t seem particularly safe in the face of future alternate implementations. Is there a better way?

rdagger · May 7, 2016, 6:07pm

Methods could have rate limiting by default like accounts.

rdagger · May 7, 2016, 8:57pm

There’s a bug in my code above. It incorrectly passes the name of the method variable instead of the the value of the name key. It should be:

    const LISTS_METHODS = _.chain(exports)
      .pluck('name')
      .reject(k=> k == undefined)
      .value();

rdagger · May 7, 2016, 11:18pm

What I ended up doing for now was placing the DDP rate limiting code only in server/register-api.js. When naming my methods I use the format collection.methods.name. For example: lists.methods.insert. This allows me to filter them out from the other method handlers. Here’s an example register-api.js:

import { DDPRateLimiter } from 'meteor/ddp-rate-limiter';
import '../../api/lists/methods';
import '../../api/todos/methods';

const THROTTLE_METHODS = _.chain(Meteor.server.method_handlers)
  .keys()
  .filter(k=> k.includes('.methods.'))
  .value();
DDPRateLimiter.addRule({
  name(name) {
    return _.contains(THROTTLE_METHODS, name);
  },
  // Rate limit per connection ID
  connectionId() { return true; },
}, 5, 1000);

Now when I add new method modules or edit existing ones I don’t have to worry about rate limiting.

tim17 · May 8, 2016, 11:47am

Regarding the section “secret server code”: How am I supposed to import the secret file containing the implementation of updateWithSecretAlgorithm() only from server code? Since the imports are static and top-level only, both the server and the client code will eventually import this file. Or am I missing something?

sashko · May 8, 2016, 8:43pm

You should use “require” directly, since as you noticed you can only use “import” at the top level.

trajano · May 10, 2016, 1:56am

I just posted a suggestion regarding how to secure server methods

rdagger · July 18, 2016, 11:52pm

The guides SSL section has a bad link:
See the help article about SSL on Galaxy.

The galaxy guide Let’s Encrypt section shows a Generate Certificate button that is supposed to set up SSL in 1 click. I don’t see that button in my Galaxy control panel. I just see a button to upload a certificate.

marktrang · July 19, 2016, 12:36am

@rdagger it appears you’re still on the Developer Edition of Galaxy, not the latest Galaxy that includes access to new production-grade features like SEO prerendering, automated SSL certs, larger container sizes, and high-availability fault tolerance. If you’d like to upgrade, please send us a quick email at galaxysales@meteor.com with your Meteor dev account name and we’ll make it happen!

sashko · July 19, 2016, 2:45am

Fixed the broken link: https://github.com/meteor/guide/commit/2f1e680528a0cae9457912e22a54e0dccff52091

ajaay · March 30, 2017, 1:47pm

Am I right in saying that you can now use import within the method directly now? Appears to be working fine for me.

Is this the best way of accessing ‘secret’ code from within a method currently?

Thanks

magdy · May 10, 2017, 9:17pm

Hey, thanks for the snippet.

I have a question about the best practice in adding rules, … would it be bad for performance if I added a rule per method …

I think it might be easier to use a mixin with each ValidatedMethod, something like this: https://github.com/nlhuykhang/ddp-rate-limiter-mixin

Are there any guidelines when using ddp rate limits, and should I treat publication the same as methods (with a rule foreach?)

monkeyman · July 25, 2017, 4:44am

Any guidance on how best to deal with sensitive data on the client before sending it over the wire? e.g. a user’s personal data, api keys, etc.?

arggh · July 25, 2017, 6:57am

Use SSL

edit: Also, don’t send API keys to the client, unless they are meant to be public.

sabrina · September 10, 2017, 12:13am

Instead of completely blocking off allow/deny, why not whitelist attributes?