Securing server methods

trajano · May 10, 2016, 1:15am

Continuing the discussion from Meteor Guide: Security:

When hiding server side code, I rather than create a fake global variable and have a run that has an isSimulation it may be better to just override the run function on the server side as part of the initialization.

e.g. API side

export const Countries = new ValidatedMethod({
  name: 'countries',
  validate: null,
  run() {
    return []
  }
})

server side

/* globals Assets */
import { Countries } from '/imports/model'

let countries = angular.fromJson(Assets.getText('countries.json'))
countries = countries.map((current) => {
  const ret = {
    code: current.cca3,
    name: current.name.common,
    weight: 1.0
  }
  if (current.cca3 === 'CAD') {
    ret.weight = 2.0
  } else if (current.cca3 === 'USA') {
    ret.weight = 2.0
  }

  return ret
})

Countries.run = () => {
  return countries
}

Added bonus is the server can be stateful so it does not evaluate the whole state at every single run.

Can someone help me figure out how to remove /* globals Assets */ though? @tmeasday , perhaps you can help point it out since you opened https://github.com/meteor/meteor/issues/6552

tmeasday · May 10, 2016, 5:07pm

Assets is a global injected by the build tool. I’m not sure you can.

trajano · May 10, 2016, 5:16pm

Maybe change the globally injected one with something else like _Assets and expose an export const Assets = _Assets in as part of meteor/meteor?