I’m using iron router in a particular project. I’m trying to make my subscriptions more secure. At the moment, I have a few different pages that show a bunch of computing devices each. All the data for these computing devices are stored in a single collection. Based on which compute device page the user is at, I’d like to filter the pub / sub and show only that compute device’s relevant documents on the client. For this, my waitOn looks like:
Meteor.subscribe('templatesPublication',{
$or: [
{ipAddress: this.params.ipAddress, routerName: this.params.routerName},
{ipAddress: {$exists: false}, templateName:{$regex: ".*SystemDefaultTemplate"}}
]
})
My publish function looks like:
Meteor.publish("templatesPublication", function publishFunction(filter) {
if(filter){
return templates.find(filter);
}
In this scenario, I’m basically passing all the parameters from the client on to the server in order to provide a filtered list of documents. From what I’ve read so far in general, what the client sends cannot always be trusted. The filter object that is being sent down, can be assumed to be modified.
Given this background, I was wondering how the server could come to know which page the client is in and provide a publication filter by itself, instead of relying on the client to tell it explicitly.
I’d like to know if it’s possible for the server to know on which page (url) the logged in user is at, if at all that’s possible. OR how the server can give out relevant publication WITHOUT the client telling it.
Thanks.
Which user? You might have thousands.
Oops. I was still adding more information to my post. I’ve updated the same.
As you’ve identified, that’s an incredibly dangerous and insecure pub/sub you’ve got there. Basically, you’re allowing any user to pass whatever query they like to your server.
Are you using Blaze?
Assuming you can build the correct query on the server given the user’s current route, you just need to have a reactive subscription which updates whenever the route changes.
Caveat: I have never used iron router, so the iron router stuff which follows is coming staight out of the guide.
In iron router, the current route is available reactively through Router.current().route.getName(). However, in template helpers there seems to be a different way (using Iron.controller) of accessing the current route controller. I don’t know which will be correct in what follows - I’m going to assume the former.
In your onCreated, set up your subscription inside an autorun as follows:
Template.someTemplate.onCreated(function() {
this.autorun(() => {
this.subscribe('yourPublication', Router.current().route.getName());
});
});
Now, whenever the user’s route changes, the subscription re-runs and the current route is passed to the publication, which also re-runs. Note, you will still need to sanitise the parameter on the server, to ensure it’s not an injection attempt.
Thanks for the approach Rob. The URL helps in idenitfying the right compute device since it contains the IP address (Eg., something.com/device/19.168.1.2/). If this is sent to the server, the server pulls out the ip address, frames the query and returns the relavent docs via the publisher. ALthough this does seem a bit more secure, I feel that this is still similar to the earlier instance where I was sending the query parameter itself. The server will still dumbly send back data on the basis of what is contained in the URL. So in essence, anyone who changes the IP in the URL will gain untoward data from the server. Which is why I was wondering if there was a way for the server to come to know which page the user is in, without the client telling the server explicitly.
As long as you confirm (use check), that the parameter is a string and has that format, then all you need to do is validate the IP is one which that user is allowed to see.
If it’s a valid, logged-in user and the IP is allowed for that user, then it’s secure.