Is simple-todos Example app find method secure after implementing Methods? [A: Yes! - mod]

Hi, in the ‘simple-todos’ example application (8: Methods | Meteor React Tutorial) three methods are implemented. They are for:-

  • For inserting (tasks.insert)
  • For removing (tasks.remove)
  • For updating (tasks.setIsChecked)

However, there is no method for reading tasks from the database (It’s also working after removing the insecure package). We are still directly fetching tasks form the database. You can see the code from App.jsx.

const tasks = useTracker(() => {
    if(!user) return [];
    return TasksCollection.find(hideCompleted ? pendingOnlyFilter : userFilter, {sort: {createdAt: -1}}).fetch();

As you can see it’s retrieving tasks directly from the MongoDB database by using TasksCollection.find method.

As it is happening in the browser, one can easily change the find condition to {} and calling like this, find({}) and therefore can easily see other users’ data. Is this safe and secure?

In short, yes. It is secure. But it is very good that you’re following the tutorial with thought. Props for that!

In general in Meteor you have two ways to get data from the database to a client. The first is to use a method. A method is just a remote procedure call that executes code on the server (methods in Meteor can simulate execution on the client as well, for better responsiveness, but that is just UI sugar and not really relevant here) and returns a response to the client. So you can run TasksCollection.find().fetch() and return the result to the client. Very similar to calling a REST endpoint in other apps. Since the code runs on the server, the method has full access to the database and it is up to you to set relevant restrictions in the method code before returning data.

The other way is live queries with publications and subscriptions. You set up a publication on the server where you control what data a user can subscribe to and then you call a subscription on the client that targets that publication. Meteor will then keep that data automatically updated on the client. For this to work, Meteor sets up a representation of the database on the client side (containing only the data that publications have revealed for this particular client, if any) which the client can the query locally similar to the syntax used on the server. So the TasksCollection.find() that you noticed in the App.jsx is a query into the local representation of the database, not a query into the actual database on the server. When using pub/sub, you secure the data by setting access restrictions in the publication code.

1 Like

Everything became clear to me when I went to the next tuorial “Publications” :slight_smile:

1 Like