How to enforce security on Meteor app? Guidelines

Hello,
I realised my app is quite flawed as i can from my browser console execute commands to access my database, but also make calls to the server.
in the browser console, command like db.find({}).fetch() will return all entries, with ids.

For example:

db.remove({})

will return

allow-deny.js:505 Uncaught errorClass {isClientSafe: true, error: 403, reason: “Not permitted. Untrusted code may only remove documents by ID.”, details: undefined, message: “Not permitted. Untrusted code may only remove documents by ID. [403]”, …}

but db.remove({_id: 'someid'} will remove the entry.

Also something like Meteor.call('removeuser', 'someusername') will also access Accounts and remove the user if the method is implemented. Should i give my methods unique names so i hope nobody can find them?

Please can you give guidelines about how to secure Meteor apps in general?

Thank you

I would suggest to avoid client side database operations (Meteor’s allow/deny) completely and just use Meteor methods instead. This is the same advice as given by Meteor docs here: https://guide.meteor.com/security.html#allow-deny

Going over that guide in full is really the first step you should take here.

After that, you might also want to check out this book: https://www.securemeteor.com

1 Like