Not sure how active @raix is on the eventddp package, and thought other users may have thoughts or benefit from this thread.
Note: Not looking for other strategies, as this data can’t be stored in a collection and is unique to the user, so I really need to find a way to push the data to the client and be done with it.
I’m considering using the eventddp package in an app for pushing notifications from the server to the client, but my immediate concern was security. Out of the box (installed via Atmosphere), you can do:
//client.js
var em = new EventDDP('test');
em.addListener(Meteor.userId(), function(message) {
console.log('New Message: ', message);
});
//server.js
var em = new EventDDP('test');
em.emit(userId, message);
And everything works. The problem is that you can create a new listener in the browser console with whatever userId you can get your hands on, allowing you to intercept the event.
The solution (to me) was to pull the code from raix:eventddp (and also raix:eventemitter, as it’s a dependency) and scope the variables to the .js files.
Just wondering if anyone else has had experience with this, and if I should be aware of any other ways to create listeners that could hook into the emitter?