Prevent Meteor.methods being called in client browser console


#1

Is there a way to prevent/secure Meteor methods to be called in client side browser console? Or at the very least know that the call is coming from console?


#2

Yes, you can put them in files that are only loaded on the serverside


#3

I’m not sure why you would want to do this.

If you only need them on the server side there’s no reason to use Meteor methods at all. Just go with plain old functions.
If you have concerns that your methods could be called at clientside from unauthorized users - you should always check for that in the method. No matter if it’s called from your UI, via the dev console, … or whatever.

But to answer your question: No, i’m not aware of any way to check for that.


#4

Optimistic UI is just one of many reasons to use Meteor methods. You are forgetting things like having a userId available, clean endpoints and EJSON.


#5

To expand on that: Anything that lives on the client is inherently insecure.

This means that you have to treat anything coming from the client as insecure.

And when you’ve dealt with that issue then you don’t really have to care about the client messing around in the console anymore.