How to savely sign objects used by the client?

Hi All.

I have started a new project using meteor and am absolutely impressed about this awesome platform.
Now I am struggling with a problem I could not really find how to solve this.
My problem is, that I need to sign some temp-URLs pointing to a backend to embed images on the client side. The signing works with a secret key, which I want to store on the server.
My problem is, what is the best place to do the signing? The signing itself is not really cpu intensive (simple hmac hash), but I am not sure when to to this.

I have found different possibilities:

  1. Adding a transform function to the collection and alter each document with a signed url. Problem here: I have to give the client the logic to sign the url (and thus the secret key), or I have to call a server method for each record (seems to result in much unused network traffic…)
  2. Using collection-hooks (meteor-collection-hooks). This could be done by the server with the after.find() hook. I tried to implement this, but this seems not really to work, since the documents returned to the client are not altered…

Is there any other best practice how I should implement this?
Any help would be great.
Thanks so much for the much information I have found here so far!

You can use Meteor.publish to create a custom subscription where you transform the document before sending it to the client.

See this discussion for more details.

Thanks a very lot.
This works perfectly!