I wonder anyone has any smart way of preventing the target of a Meteor.call() from being executed if typed in from the javascript console?
It’s not really a security issue, I know how to protect those calls, rather that I do not want it too easy for the bad or curious to make repeats of legal but still expensive calls.
You want to throttle the calls on the server. You can’t really prevent the console calling a method - it’s just like your application.
It might be possible:
But yeah, both safer and easier to throttle it on the server side.
1 Like
I did a solution with a collection that contains random values, the client pick an unused value, encrypt it and send it as part of the argument, server decrypt it, check if it is legal and, if it is, performs the operation and finish by marking the “pass” as used by client IP address. If not, it stores the IP address in an InvalidPasses collection. It also adds a new “pass” to the buffer.
A bit cumbersome, but it works. The client encryption is fragmented and take some serious forensic to uncover
1 Like
It would be nice to see how you did it. If you can, please share a demo repo for us. 