Meteor Subscriptions & data loading & Security

#1

Hi Everyone,

I was working on a social network kind of platform where I need to display data from various collection sources and those collections are related to each other via primary key and foreign key concept.

So lets have a view at this screensho Screenshot%20from%202018-09-27%2012-15-17 (it will made understanding better).

So, this is blogs listing page.

All Logics:

  • A user will view the blogs only from his network/ the people he follows.
    So First I need to get the all followers and following of a user. So I wrote
    Meteor.subscribe(“fetch_user_network_data”,Session.get(“userId”));
    This will return the all the users in the user’s network.

  • Step 2: Go to Blog Collection, to get the blogs for the user’s network.
    So, there would be subscriptions like
    Meteor.subscribe(“fetch_blog_details”, blog_creator_id_is_from_one_of_users_network);
    This would return all the blogs.

  • Step 3: Go to Like and Comments collection to get the required data from the corresponding Blog Id.
    So, there is also a subscription like
    Meteor.subscribe(“get_total_likes”,blog_id_from_one_of_the blogs_data)
    Meteor.subscribe(“get_total_comments_count”,blog_id_from_one_of_the blogs_data)

  • Step 4: As per the screenshots, I need to show the users I follows and those who follows me. So there would be subscription like
    Meteor.subscribe(“get_user_details”, user_id_from_user’s_network)

So this is the case, Now I need to show loading until the data loads, As there are data that depends upon the data returned from the previous subscription.

Q - 1. Is it possible to use Iron Router’s waitOn method or any meteor method like mentioned here on Stackoverflow.
Q - 2: Is there is any drawback of using helper side subscriptions
Q - 3: Is there any alternative of loading the desired data with some different approach?
Q - 4: Is there needs to update the Database structure, So that I could have fewer subscriptions?
Q - 5: As the data becomes available it becomes available to the client that’s great but using Minimongo Google Chrome Plugin client can view all the data. Which is not Good. Is there anyway I could stop that. Its security Breach.

Anyhelp would be greatly appreciated.

#2
  • You can use method to load data instead of using subscriptions.
  • You can only send to clients the data they need, not all the fields of the data. So you don’t have to worry about Google Chrome Plugin.
#3

Q - 1. Is it possible to use Iron Router’s waitOn method or any meteor method like mentioned here on Stackoverflow.

Unless you’re very heavily invested in Iron Router, I wouldn’t recommend it for complex reactive routing. Look at Flow Router (if you’re using Blaze), React Router (if you’re using React), or Vue Router (if you’re using Vue). It’s better to put reactivity closer to the point of use (i.e. not in the router).

Q - 2: Is there is any drawback of using helper side subscriptions

Do you mean client-side subscriptions? You should minimise the amount of data you’re syncing to the client. Don’t use reactivity if you don’t really need it. Ensure each user gets to see only what they’re allowed to see.

Q - 3: Is there any alternative of loading the desired data with some different approach?

You can use Meteor Methods, but you won’t get reactivity. Unless you do some extra work on the server with pub/sub, methods are per-client. You could also use REST, but the same restrictions apply.

Q - 4: Is there needs to update the Database structure, So that I could have fewer subscriptions?

I’ve no idea - I don’t know your database structure, your architecture, or your ultimate design goals. Unless you’re very familiar with MongoDB, almost certainly :wink:.

Q - 5: As the data becomes available it becomes available to the client that’s great but using Minimongo Google Chrome Plugin client can view all the data. Which is not Good. Is there anyway I could stop that. Its security Breach.

Yes - see the following links. You’re probably using autopublish, which publishes everything by default.

1 Like
#4

Thanks @minhna, but

  • I would need reactive Data. Meteor methods are not reactive in nature.
  • I need to send some user Ids, is there any drawbacks for those user ids available publicly to the client
#5

Thanks @robfallows, I have a better understanding now

Regarding Q - 1, I think using waitOn method it would be easier to manage to load.
Regarding Q - 5, Can we customize the data coming from the server, something like encryption kind of thing?
This way I would manage to hide the DB structure.

#6

can I use the same subscriptions on multiple pages. Or I need to make subscriptions on every page?

#7

Regarding Q - 1, I think using waitOn method it would be easier to manage to load.

Okay, but you should be aware that you may introduce multiple reactive re-renders and data lods unless you’re very careful with your code design.

Regarding Q - 5, Can we customize the data coming from the server, something like encryption kind of thing?

Read those links :wink:.

As an alternative, have you looked at the socialize packages, which are designed for this sort of use case? The author, @copleykj, is very active here.

1 Like
#8

Regarding First Point, Can I check if my code is not well design because its a very vast term.

Can I have the links please. I didn’t understood this.

#9

If you’re concerned you should probably get it independently reviewed. Alternatively, monitor client and server performance for over-active reactivity (it may be fine) and refactor later.