Should server ONLY methods be separated from both methods?


#1

Hi,

So I know that it is recommended to create the methods in a place that is accessible to both the client and the server (like a lib folder).

However, I have a method that starts by getting the user’s facebook id:

const facebookUserId = Meteor.user().services.facebook.id

and then updates the user’s profile,

on the client I get an immediate error

exception while simulating the effect of invoking 'getUserFacebookImg' TypeError: Cannot read property 'facebook' of undefined

I assume that its because “services” isn’t available to the client. (on the server I do get the result)

(or is there a deifferent reason for this error?)

So my question is: should I leave this method as is in a folder that’s available to both the client and server, or should I create a separate doc for it? if so, and suggestions on how to separate the both from the server only methods?

Thanks!!!


#2

Hi @amirrosner,

You should never expose service configuration information client side.
If your method is calculating something that might have an impact on your UI client side, you can leave this method both client side and server side, for optimistic UI. Otherwise, you can use the methods only server side.

You can prevent the code related to the services for being executed client side by wrapping it like this :

if (this.isSimulation)
{
    // do whatever is important for Optimistic UI
}
else
{
    // Fetch facebook id and do business logic
}

An important note though : your code will still be sent to the client and thus, will be visible by anyone opening the console of his browser.
In order to prevent this, I advise you to put the business logic inside a server side only file, and require it inside the else like this :

if (this.isSimulation) {}
else {
     const { businessLogic } = require("/imports/folder1/server/businessLogic.js");
     businessLogic(); // Does the FB id fetching and business logic
}

This way, you won’t expose potentially harmful code to your users.
The important part is in the require which needs to fetch the file in a server/ directory, no matter how deep it is in your folder structure. If you fetch your file anywhere else than in a server directory, it will be sent to the client no matter what you do.

Hope this helps,


#3

Here is the appropriate section in the Meteor Guide. Might be worth reviewing this along with some of the other security sections. https://guide.meteor.com/security.html#secret-code


#4

Hi @axelvaindal,
Thanks for the great tips. I wasn’t aware of the option to check isSimulation. I’ll read more about this and reorganize my files.

Thanks for your time and explanation :slight_smile:


#5

Hi,
Great, thank you! :slight_smile: