As per Meteor Guide’s Security checklist,
Don’t ever trust user IDs passed from the client. Use
this.userId inside Methods and publications.
There are some documentations conflicts, where I can’t really relate that one should use this.userId if he uses the Accounts Package.
What if someone don’t want to use Accounts Package like me because its not in my requirements.
Meteor suggest us to use publications this.userId, but this.userId is always null. Also, tried using this.setUserId but no success in this also.
Is there any method where I can set user Id using Meteor.userId or something like this, currently I am using Sessions to store the user Id but Sessions are not secured, they can be changed using the console.
Is there any method where I can implement a secured solutions to store user Id,
The point is that you should use a server side method to get the userId from whatever authentication system you are using. Meteor stores an auth-token (and alternative to a session cookie) that it transmits to the server on every method call/subscription (ddp request), and verifies that then grabs user data directly from it’s own stores based on the result of that verification. Any good auth system will do something similar on the server.
For what it’s worth, I don’t use
this.userId - I always use
Meteor.userId() - something similar can probably be used from an external auth library, but you’ll have to work out how to tie that to your current method invocation. Maybe take a look inside accounts-base and see how they did it there.
Do you have any suggestion for the external auth library? @captainn
I just use the Meteor package.
If you don’t need accounts, why are you trying to check the userId?
If you don’t use accounts, you presumably won’t be passing userIDs from the client to the server and you won’t be violating the rule: “Don’t ever trust user IDs passed from the client”?
Or are you using an existing external accounts system?
Yes I am using external accounts system, created separately.
Then the secure way would be to pass through a token that can be used to check authorization on the external accounts system
Have you implement any token based system?