Locking down raix:eventddp


#1

Not sure how active @raix is on the eventddp package, and thought other users may have thoughts or benefit from this thread.

Note: Not looking for other strategies, as this data can’t be stored in a collection and is unique to the user, so I really need to find a way to push the data to the client and be done with it.

I’m considering using the eventddp package in an app for pushing notifications from the server to the client, but my immediate concern was security. Out of the box (installed via Atmosphere), you can do:

//client.js
  var em = new EventDDP('test');
  em.addListener(Meteor.userId(), function(message) {
    console.log('New Message: ', message);
  });

//server.js
  var em = new EventDDP('test');
  em.emit(userId, message);

And everything works. The problem is that you can create a new listener in the browser console with whatever userId you can get your hands on, allowing you to intercept the event.

The solution (to me) was to pull the code from raix:eventddp (and also raix:eventemitter, as it’s a dependency) and scope the variables to the .js files.

Just wondering if anyone else has had experience with this, and if I should be aware of any other ways to create listeners that could hook into the emitter?


#2

I wrote the ddp eventemitter package testing the idea of emitting events across client/server. I’m not sure where MDG is heading with DDP - eg. if it’s deprecating in favor of the graphQL stack.

The client can’t set the userId, it’s a property on the DDP connection, something like this might work:

//client.js
  var em = new EventDDP('test');
  em.addListener('message', function(message) {
    console.log('New Message: ', message);
  });

//server.js
  var em = new EventDDP('test');
  em.emitMatch('message', { userId: userId }, message);

#3

Cool, thanks!

Not sure where MDG is heading either, but this package is great for translating api events into client messages. Thanks again :slight_smile: