Prevent Client from Accessing Meteor Methods from Console


#1

I have a Meteor method that sends a generic email in a file on the server side of the application. From the console, anyone can use Meteor.call to call the method and send an email using the template from the site. The method uses meteor SSR (from meteorhcaks:ssr https://github.com/meteorhacks/meteor-ssr) which can only be used on the server side. However, the method is being called from the client side so I cannot make a regular function instead of a Meteor method because I cannot import a function from the server to client side. Is there a way to check if the method is being called from the console? I am using Meteor version 1.8.


#2

Short answer: No.

Solution: Check if the call came from the client and reject it based on information you control.


#3

It sounds like you want the ‘correct’ method call to come from the client as a response to a user interaction (e.g. clicking a button), correct? If that’s the case, then there is no way to prevent or detect if the same method call is being called from the console.

You have to protect the method from being used inappropriately, e.g. by unauthorised users, or at the wrong time in a sequence of events, or too frequently, or to unknown email addresses, etc.

Under what conditions is the ‘send email’ button shown to the user? You need to make the method return an error if those same conditions are not met.

If for some reason that’s not possible, then you might want to include some form of Capcha (e.g. reCAPTHCA) which includes server validation of a token provided by the client.


#4

Indeed. Basically, treat everything that comes from a client as potentially suspect or even hostile.