Security issue in simple-todos with react example


I have made React Tutorial (

I have questions. I run meteor --production

And I see in code:

"tasks.setPrivate":function(e,t){if(i(e,String),i(t,Boolean),a.findOne(e).owner!==r.userId())throw new r.Error("not-authorized")

This is source of tasks.js
I think this is not secure to show this code to end user - he can find security mistakes.

I see this line in App.jsx:
import { Tasks } from '../api/tasks.js';
I’ve removed it.

Now I see this line only in server/main.js

import '../imports/api/tasks.js';

Why this information on client?

How I must edit my app to secure this issue?