Security aspects of ES6 Import - Using on the client side


#1

In the Meteor guide it says;

Code that runs on the server can be trusted. Everything else: code that runs on the client, data sent through Method and publication arguments, etc, can’t be trusted

and also

Secret business logic in your app should be located in code that is only loaded on the server. This means it is in a server/ directory of your app, in a package that is only included on the server, or in a file inside a package that was loaded only on the server.

Sensitive methods/algorithms etc. must be put in the server side. My first question is, how can we ensure security on the client side when calling a method lets say createUser() on the server-side through an import statement? When I imported a function/object etc. does it mean that I make this function available to client-side thus make it vulnerable?
My second question; is there any difference between using Meteor.method and Validated-Method in terms of security? We don’t need to use an import statement when calling a standard Meteor Method but we need to import it if we call a Validated-Method. For the same createUser() example, should I define it in a Meteor Method for security?


#2

If you want to secure server-side imports, place them in a server/ folder under imports:

imports/
 L server/
    L secure.js # this is secure
 L path/
    L to/
       L server/
          L secure.js # this is secure

You cannot import files under a server/ folder into the client.

You need to be more careful with validated methods, since code in the .run (the method part) is visible on the client. This thread has more on the subject:


#3

Thank you @robfallows for your quick response!