I have been reading a few tutorials on flowrouter and for authorization in the trigger of the route file they do a check of the user for example "if(Meteor.userId()) allow route "
From my understanding flowrouter is client side. In my browser I was able to view the routes.js file including the auth logic.
This appears to be a security loop hole as the client side code could be modified to allow access to pages require the user to be signed in?
It’s not really a loophole. Every template/component should be accompanied by appropriately restricted server methods and/or publications to ensure only appropriate data is sent to the client. If you’re doing this, then anyone can do anything they want with the routes and the worst that could happen is the that the UI would be borked for the person monkeying with the routes.
IMO, if you are relying on client-side routing for security, then you’re doing it wrong.
Never trust the client!