Collection data obfuscation is possibile?

#1

I need to hide the data loaded in a meteor application

I do not understand what could be a way to keep the pubs / sub running but to make sure that the collection on the client does not have results

or any way to not easily access data via browser console

many thanks for every suggestions,
Stef
http://keplerjs.io

#2

Someone please correct me if I’m wrong, but you can’t access the collections from the browser console unless they are global, right? The only one you should have to worry about is Meteor.users?

1 Like
#3

The collections are linked to a global variable because they are used in various parts of the same application, from other modules and packages.

Perhaps there is a usual pattern or architecture to avoid this?

#4

As long as you have removed the autopublish package, you will see nothing on the client unless you explicitly publish it. As you say, @bmanturner, the exception is your own user object - although you can override what’s available even with that.

#5

You can import them where you need them.

import MyCollection from '/imports/api/collections/MyCollection';

^ that’s roughly how we do it

1 Like
#6

That’s not securing the data, though. Remember, all client-side code is accessible in principle. Yes, it’s not global. There’s no one hindering you from using the console to subscribe to any collection.

You can only secure the data which comes from the server.

1 Like
#7

Data security is the servers responsibility. If the client isn’t allowed to see the data, then it shouldn’t be published there.

#8

I don’t want absolute security in client side, but only I would like to complicate a possible bulk copy of the collection… using a simple collection.find({}).fetch() or some other way that iterate variables with a loop.

#9

Why? If anyone is really that interested in your data and you try to paginate it (because that’s what you’re proposing), they’ll simply write a simple script/macro/scraper and be done.

You should ask yourself: Is it really worthwhile the additional headaches for something you cannot prevent anyway?

4 Likes
#10

I have to agree with @rhywden here. If the user is savvy enough to be able to require() your collection into the console, fetch and dump it, then they are probably savvy enough to write a node script that opens a ddp connection to your server, subscribes to a publication as many times as necessary and copies all the data that way. If that doesn’t work and you some how manage to obfuscate data in a way that it can’t be retrieved from the collection directly, they could always use something like PhantomJS to run your site headlessly and scrape all the data that way. I’ve personally done this before. Where there’s a will, there’s a way.

3 Likes
#11

Doing some research in the Meteor code (version 1.7) I found this default global var contains all remote suscribed collection:
Meteor.connection._mongo_livedata_collections

I can fetch any collection simply in this way:
Meteor.connection._mongo_livedata_collections.COLLECTIONNAME.find().fetch()

In my specific case I need to protect the geographical coordinates in clear text, but make sure that at runtime they can be calculated to position the markers on the map, I have already added a mechanism to limit the number of requests and make sure that they can not be all downloaded from the server.

@bmanturner,
Regardless of how I import the collection instances in my application I can access it after the first subbscription.

@copleykj, I wish the client can access the data, but that a user can not use a simple for loop to get them all together.
Maybe a solution to my problem could be to download data on the client through a Meteor.call () instead of a subscription encrypt these data and then decrypt client side with a private key that is saved inside a closure.
Could it be feasible?

#12

making sure that the data are webscrapable only via Phantom would be a good result for me! :slight_smile:
but having iterable data simply via console is not good :frowning:

#13

you could obfuscate your field with something like this: https://stackoverflow.com/questions/14458819/simplest-way-to-obfuscate-and-deobfuscate-a-string-in-javascript

I guess its an object, so you can do something like obfuscate(JSON.stringify(coordinates)),
but as others have mentioned, this does not add security.

1 Like
#14

Well, he could always ROT13 encrypt it. And to make it even more secure, double that encryption!

1 Like
#15

noob, rot13 does not encrypt numbers :wink:

(btw. I did not realize either and just tried it xD: http://jsfiddle.net/58hv2kcq/)

1 Like