Correct way to protect pages from unauthorized access

This is my first test project with Meteor and I am trying to grasp and learn all the basic concepts.

Using the “accounts-password” package and “iron:router”, I have build a simple user account system, where registered users can login and see their details / posts on their personal account page (userAccount). Logically, this personal account page should not be publicly accessible, i.e. if you provide the wrong credentials, you will be redirected back to the login page.

For that purpose, I created a router configuration, that manages access to the page template (userAccount):

Router.route('/account', { name: 'userAccount', template: 'userAccount', onBeforeAction: function(){ var currentUser = Meteor.userId(); if(currentUser){ // logged-in; } else { // not logged in this.render('login'); } } });

Is this the correct way to create individual login-areas, which are protected from public access?

If you have multiple pages within that login-area, they all have to be protected with the same routing configuration for each template?

You can’t protect pages / views / templates from unauthorized access because the client-side code can always be manipulated. The only thing that you can really protect is the data itself. You should read the following tutorials and make sure that you understand them: