Hi,
The meteor documentation shows how to use check within a publication (see example below).
However, it is my understanding that if the check fails an error is thrown which can kill the nodejs process. This is a super easy way to attack a meteor app. Just send arguments to a publication that does not pass check.
So how do you properly use check in a publication?
E.g. If a malicious user sends roomId of type number, check will throw an error, killing meteor.
Meteor.publish('roomAndMessages', function (roomId) {
check(roomId, String);
return [
Rooms.find({ _id: roomId }, {
fields: { secretInfo: 0 }
}),
Messages.find({ roomId })
];
});
Is this a robust approach to use check, without killing your app?:
Meteor.publish('roomAndMessages', function (roomId) {
try {
check(roomId, String);
return [
Rooms.find({ _id: roomId }, {
fields: { secretInfo: 0 }
}),
Messages.find({ roomId })
];
} catch (e) {
this.error(e);
this.ready();
}
});