Someone please correct me if I’m wrong, but you can’t access the collections from the browser console unless they are global, right? The only one you should have to worry about is Meteor.users?
As long as you have removed the autopublish package, you will see nothing on the client unless you explicitly publish it. As you say, @bmanturner, the exception is your own user object - although you can override what’s available even with that.
That’s not securing the data, though. Remember, all client-side code is accessible in principle. Yes, it’s not global. There’s no one hindering you from using the console to subscribe to any collection.
You can only secure the data which comes from the server.
I don’t want absolute security in client side, but only I would like to complicate a possible bulk copy of the collection… using a simple collection.find({}).fetch() or some other way that iterate variables with a loop.
Why? If anyone is really that interested in your data and you try to paginate it (because that’s what you’re proposing), they’ll simply write a simple script/macro/scraper and be done.
You should ask yourself: Is it really worthwhile the additional headaches for something you cannot prevent anyway?
I have to agree with @rhywden here. If the user is savvy enough to be able to require() your collection into the console, fetch and dump it, then they are probably savvy enough to write a node script that opens a ddp connection to your server, subscribes to a publication as many times as necessary and copies all the data that way. If that doesn’t work and you some how manage to obfuscate data in a way that it can’t be retrieved from the collection directly, they could always use something like PhantomJS to run your site headlessly and scrape all the data that way. I’ve personally done this before. Where there’s a will, there’s a way.
Doing some research in the Meteor code (version 1.7) I found this default global var contains all remote suscribed collection: Meteor.connection._mongo_livedata_collections
I can fetch any collection simply in this way: Meteor.connection._mongo_livedata_collections.COLLECTIONNAME.find().fetch()
In my specific case I need to protect the geographical coordinates in clear text, but make sure that at runtime they can be calculated to position the markers on the map, I have already added a mechanism to limit the number of requests and make sure that they can not be all downloaded from the server.
@bmanturner,
Regardless of how I import the collection instances in my application I can access it after the first subbscription.
@copleykj, I wish the client can access the data, but that a user can not use a simple for loop to get them all together.
Maybe a solution to my problem could be to download data on the client through a Meteor.call () instead of a subscription encrypt these data and then decrypt client side with a private key that is saved inside a closure.
Could it be feasible?