New Meteor App/serrvice

Happy to announce a new Meteor app. It’s not a space or industry that I imagined I’d be passionate about, but that’s how life works sometimes. Short backstory is that I started designing and building websites back in 2003 (full-time in 2006, and then web apps years later), and always tried to create a memorable experience. Sadly, my mom passed away about 2 years ago, so I opted to build her an elegant website for family and friends to visit anytime to see pictures, hear audio, watch video, etc.

That website landed well, and my colleagues and I decided that we should build a platform that could allow anyone to build an elegant online memorial with ease. It quickly became a passion project for us.

While we wanted visitors to have an elegant experience when visiting a memorial, we also wanted the authoring experience to feel easy and intuitive to the person building it. After all, they’re likely grieving, so technology should help, not get in their way.

So we designed and built: https://honoringthem.com.

HonoringThem allows anyone to start building a memorial right from the homepage. You can build a fully featured memorial without ever having to create an account or provide your email. The idea was that we wanted people to see exactly what they would get without any paywall or sign up blockers. I don’t know of any site/service that allows you to build so much without providing any info, but the guiding principle was that if they play around and end up liking our platform, they’ll sign up to save and publish their work.

ht-social-preview1609×908 93.9 KB

Why Meteor?

It was actually 9 years ago today when I started writing my first “Meteor code”. I was mainly trying to test out the framework, and using Meteor + Blaze made web development exciting all over again. I ended up creating what is essentially a personal project, but for commercial projects my colleagues and I always opted for more common frameworks. We’re great admirers of Vue, and had a great developer experience building an appshell healthcare app that used Nuxt on the frontend, and connected behind a firewall to Wordpress so content managers could easily do their thing.

When it came time to build HonoringThem, I reached for Nuxt 3 and Strapi 4, and struggled for 4 painful days just trying to get the dang things to work well (along with Pinia, which was somehow more difficult than Vuex to use as a global store). Yes, it was my first time with Strapi, but it was massively frustrating how difficult it was to get basic things working like authentication.

It dawned on me after day 4 that I should just reach for Meteor, since I’ve always loved it. I hit the Meteor.com homepage and the first thing that pops up is the headline “Stop fighting with frameworks and start shipping real apps”. It’s like they were speaking directly to me!

In the next 4 hours I had the app setup, directory structure in place, and all authentication routes setup and working correctly. From there, we just focused on building features. And as much as I love Vue, HonoringThem still uses Blaze…because Blaze is wonderful.

We’re not currently leveraging pub/sub that much, but we did use it so that people can collaborate in real-time to produce a memorial. Many online memorial platforms allow for multiple admins, but most (if not all) are not real-time. Given Meteor’s DDP making real-time so easy, we of course had to utilize it so folks can invite collaborators to help build something memorable and robust, together.

Would love to hear any feedback, and if you know someone who could use this app/service, please feel free to send their way.

Also worth noting - we bake security into all the apps we work on, and HonoringThem is no exception. Much of what my team and I have worked on over the years are healthcare apps, and besides developing with a ZeroTrust methodology, we also always have our apps penetration tested.

For anyone needing pen tests done, we’ve relied successfully on https://www.bittowerllc.com for nearly a decade. Joshua Tower is the main tester and has historically always provided great detail on findings. Highly recommend.

Sounds like a very personal, but also technically challenging project.

For security, did you find you had to change much about how you develop with Meteor, or add much code, in order to meet your target?

Or was the “Meteor” side fine so to speak and more of the challenges were things like storing image assets securely, given the personal importance to users?

Not much needed to change in terms of our security approach. Whether we’re dealing with PHP/MySQL, or with Node/Mongo, operating with ZeroTrust means we are careful to take care of sanitizing data from inputs, check authentication and authorization where appropriate, and making assertions about what types of content should be coming from a browser.

Meteor does a lot to aid in rapid application development, but security is still always something we bake into application code. Not all Meteor methods in our app need to check for authentication, for example. Some methods are fine to call anonymously, such as in fetching a memorial from the db to display for a typical site visitor.

Meteor does have some packages (audit-argument-checks) that help in ensuring you’re taking basic security steps, like ensuring the types of arguments being passed to a method are what are expected (i.e. argument 2 is supposed to be a object, but check anyway to be sure), but just because an object was indeed passed and checked doesn’t mean we can trust the properties/values of that object.

So, it’s really the same kind of stuff we’d do outside of Meteor, because nothing a browser (or API client) sends to a server can be trusted.

Somewhat ironically their website cert seems to have expired. But regardless, good to know about pen testers in the Meteor world. I’ve been wondering about where to look for such help. Thanks!

D’oh! I think that was a case of the shoe cobbler’s children. Just reached out and he updated the certificate.

I’ll be meeting with him next week to get some static code analysis done (a great complement to dynamic penetration testing) and I’ll provide an update here.

That is a very interesting and different use case of Meteor, Mike. I don’t think I ever saw other memorial tool done with it.

Originally I reached for Meteor because I loved the developer experience, but it has really come in handy for things like collaboration. We recently just rolled out that feature, so that people can invite others to help build a memorial. With pub/sub I’m able to show how many collaborators are actively working on a single memorial, along with what area of the memorial they’re currently editing.