Asteroid Publication Security

I’m testing out Asteroid for splitting Meteor applications, but having an issue with security as follows:

I have a Meteor “Server” app (“MONGO_URL=mongodb://username:password@some.server.com:2222/test meteor --port 5000 run”) that contains the following type services so far:

  • Publications
  • Methods

For example, here is one publication on “Server”:

Meteor.publish("Names", function() {
  if (! this.userId) {
    throw new Meteor.Error('names.unauthorized',
      'This data doesn\'t belong to you.');
  }
  
  return Names.find({ userId: this.userId, limit: 1 });
});

I also have a Meteor “Admin” app (“MONGO_URL=mongodb://username:password@some.server.com:2222/test meteor --port 5005 run”) that does admin stuff, and needs access to the Publications and Methods of the “Server” app

  • Subscribes to “Server” Publications
  • Calls out to “Server” Methods

I get Publication data from the “Server” if I don’t have security applied if (! this.userId), but if applied like above, I get nothing from the “Server” Publication.

The “Server” and “Admin” Meteor apps both talk to the same MongoDB via the URL. The “Server” & “Admin” has Meteor Accounts installed.

How can I get the this working?