Our team has developed a web app, but the problem I am having is, anyone, who visits our site, can open command prompt in Chrome and enter Meteor.connection._methodHandlers, and it shows a list of all of our methods, that we use. From there, he can use the Meteor.call(), and call any method from the shown list.
Seems like a vulnerability. What would be the best way to tackle it?
Hi @skrisjanis, welcome to the forums!
Just like any HTTP/REST API, Methods calls (over DDP) can be discovered by sniffing the traffic. Main difference is that it’s over the websocket instead of HTTP calls.
This means that any obfuscation you do by hiding
Meteor.connection._methodHandlers, does little to make methods less discoverable.
And just like any HTTP/REST API, you should be authenticating each request on the server side before doing anything that requires privilege.
Never trust the client is true regardless of the technology.
There’s lots of good advice on this in the Meteor Guide:
And in Meteor Tuts guide:
Thank You, Coagmano, for the swift response and resources! I will double check our server side validation and go trough the resources you provided! Love this community!