Are the contents of the includes/api folder visible to client?


I’m creating an admin which will be used by only 2-3 users. I don’t want implement user account for now but just a simple token check.
So: if in the methods of a collection (stored in includes/api/collectionName.js) I check if a token == ‘Password123’, is that plain text password visible to the client?


It depends: If this module is imported somewhere in the client code (too), then yes, the password will be accessible in the browser, if someone knows where to look. However, if it will only ever be imported by a server side code, then the answer is no.

1 Like

I have a form which will call that method. Is there a way to set a password for the entire meteor project? Other than nginx way…

You could add a password in Meteor.settings outside of Meteor.settings.public. Properties defined there are only accessible on the server side.

You could ask for the password in a modal when your app is started on the client and keep it in a variable in some module, or in the Session.

Then you could pass this password to each of your Meteor methods, where you would check it against the password property in Meteor.settings. This is doable, but both very unusual and uncomfortable. Setting a htaccess in nginx is indeed simpler; plus you could add still more users later if you change your mind.

1 Like