Best Practice - Method only called by server ? (client should be prevented)

Hi again everyone,

Another best practice question (I have reached the point where I want to be sure I use Meteor the right way) :

After a payment on a payment provider I receive a POSt response. I check the validity of the response and would like this response to call a Method. Quite easy I do :‘methodAfterPaymentReceived’) in a server folder. Ok, BUT I DO NOT want anyone from client side beeing able to call this method because it should only be called from server after a payment is validated.

But this goes against Meteor pinciple where anyone can reach methods… the snake biting its own tail. I have some ideas I will drop them, but would like to have confirmation if any (all / none) of them are good :

  • use this.userId : as method is called from server, after a POST method should be ‘undefined’, no ? (any risk a situation could make it defined from server call ?)

  • use this.connection ? Don’t know much this object, someone could guide me ?

  • use an environment variable that I send to the method and check again on the method side. As they are only accessible through server it should work ?

  • use an hash that uses an environment variable and some data about the transaction ?

  • something much easier that I don’t know may exist in meteor ? that would be the best :slight_smile:

Thanks already in advance for those who can help me !

hi ivo,

i may be missing your point but couldn’t you just define a regular javascript function in server-only-code? for example a file in server folder.
so instead of'methodAfterPaymentReceived') you could just go for methodAfterPaymentReceived().

Meteor Methods are meant to be accesible by the client, that’s the whole point of it :slight_smile: if you don’t need client access, there’s no need to use Meteor Methods :slight_smile:


don’t make it a meteor method! :slight_smile:

create a simple function in the server code, import it into wherever you want to call it after payment processing and make sure that wherever is also on the server side or simply put the call within Meteor.isServer block.

Meteor methods ultimately are for remote calls just like rest api endpoints only smarter. For running functions all within the client or all within the server, use standard javascript.


Hey guys,

Thanks you both for answer. I guess I was focusing on Meteor so much I forgot the simple stuff…

Just to make sure I am doing it fine, the POST request from the payment provider is handled in a file located in server/routes. I am using the Picker package. Code is like that :

// should I declare methodAfterPaymentReceived here ?

Picker.middleware(bodyParser.urlencoded({ extended : false }));

let postRoutes = Picker.filter(function(req, res) {
	return req.method === "POST"

postRoutes.route('/payment', function(params, request, response, next){
 // making my verification the response fro mpayment is ok HERE

// shoudl call function here ?

Can I just declare the methodAfterPaymentReceived() before my postRoutes declaration and it is Safe ?? no one can access this javascript function except my server ?

As it involves payment and a first time for me just wanna make sure.

Yes @ivo that is absolutely correct!

Although, as your application grows, these files will also grow and you’ll also find that you want to reuse some of that code in other parts of your app, in which case you might want to read the meteor guide on application structure and perhaps the whole guide for more best practices and conventions.

1 Like