Is Autoform Secure?

I’m using autoValue in my schema with an {{ #autoform type='insert' }}. It appears that values are populated on the client, and not validated on the server… which makes it unfit for production use.

What are others doing? Must you manually define a Meteor.method to force server-side validation by calling check()?

Have you defined your schema on the server as well? As far as I know, autovalue is evaluated on the server side and what gets persisted is the autovalue calculation on the server.

Yeah, my collection is defined in a shared folder, collections. I also validated that autoValue is executed on the server as well with a log message wrapped in a Meteor.isServer conditional. Thanks!

Just to elaborate a bit more on serkandurusoy’s answer. The reason this happens is because of Meteors latency compensation (or optomistic UI). To make the user interface appear instantly responsive, code is run on both the server and the client. The client code updates the UI instantly, including inserting values into the DB and doing validation. However once the server code has run, it replaces everything that the client code has done, even if this means replacing with a different value. The link above goes into greater detail if you are interested.

2 Likes