Lazy loading based on authorization

tek · June 28, 2015, 8:30am

Hello!

I’m new to Meteor and really amazed about how fast you can develop software with it!
And now I’ve reached a point, where I really can’t find a solution.
What I want to do, is to separate my app in let’s say 3 different parts based on the user authorization. So let’s say there is a public, an user, and an admin part.
The default Meteor behaviour would be to send all the templates, js, css, etc. to everyone. Maybe I’m a little bit paranoid but this seems to me like a big security flaw, because I don’t want that for example every visitor or default user can see what the admin can do.
So my question is, if it is possible to send the templates, js, etc. files in a lazy-loading manner based on the authentication/authorization so that everyone only gets the files one really needs.

Thanks in advance!

shock · June 28, 2015, 9:34am

security based on the fact that attacker dont know method names etc is really not very good approach
make separate meteor instance for admin and block access to it somehow (cause you know before logging in there, you already sent all app files anyway)

yasinuslu · June 28, 2015, 11:13am

You can use https://github.com/numtel/meteor-lazy-bundles/

tek · June 28, 2015, 2:34pm

Thanks for you answer!
1 - Of course, this is totally clear - but this approach makes the bad guys life at least a little bit more difficult.
2 - This “somehow” is in my opinion the question here.

tek · June 28, 2015, 2:35pm

Thank you! From a quick look this seems like a solution for my question!