What I mean is, can a malicious client have access to my server’s service configuration and get my Facebook secret key? And if yes, what will be the consequences to my Facebook account?
How secret is the “secret key” and how can it be exploited?
Also, my app has service-configuration package, does it change the answer?
If you are running an app in production with multiple users, don’t use insecure. I think having it won’t give people access to your facebook key in a simple app, but if your app is more complex, then there are plenty of ways to confuse the database by putting in unexpected data that might result in your app code leaking something.
That’s what it’s called insecure.
It’s not a “real” production app. The only real thing about it (that I don’t want compromised) is my Facebook account.
Given that OAuth data is in Mongo, what prevents it from being leaked to the client? How is it different from other Collections?
Well, insecure only allows arbitrary writes to the database. It doesn’t allow people to read your data. So in a basic app your facebook data should be safe.
The case I’m worried about is, if you add some alternate way of logging in, and then once someone is logged in as you they might be able to access your facebook token. But if you only do login over Facebook I think you’re probably fine.
And even if your facebook access token is compromised, that doesn’t let people actually do anything with your account - they will basically only be able to read your name and email. It won’t give them permission to post as you or log in as you or anything.
How about the autopublish package? I have that one, too 
I do also allow Twitter, Github and password login.
How can someone else log in as me?
Good info, RE facebook token. Same with Twitter and Github?
Yep, that’s how access tokens work - the idea is that you don’t need to give an app permission to log in as you if all you need to do is verify identity.
They probably can’t, as long as you haven’t added weird hacks around the login system.
This package has specific special cases for the accounts database that doesn’t publish secret keys.
If it’s not running on localhost, remove insecure. Always.
On the other hand, why not?
It makes the app secure and it’s usually very little effort to secure the collections via methods or allow/deny functions