堆栈内存溢出
  简体   繁体   English

Meteor:如何防止客户端访问方法

[英]Meteor: How to prevent client from accessing methods

 原文  2015-08-28 08:25:28       javascript/ node.js/ mongodb/ methods/ meteor

问题描述

All meteor methods can be called same way from client and server side. 可以从客户端和服务器端以相同的方式调用所有流星方法。

Let's say user knows or can predict all the method names on server, then he is able to call them and use it's result however he want. 假设用户知道或可以预测服务器上的所有方法名称,那么他就可以调用它们并使用它的结果但是他想要的。

example: A method which performs cross domain http request and return response can be used to overload server by calling huge amounts of data Meteor.call(httpLoad, "google.com"); 示例:执行跨域http请求和返回响应的方法可用于通过调用大量数据来过载服务器Meteor.call(httpLoad, "google.com"); , or a method which load data from mongo can be used to access database documents if the client know document _id Meteor.call(getUserData, "_jh9d3nd9sn3js"); 或者,如果客户端知道文档_id Meteor.call(getUserData, "_jh9d3nd9sn3js");则可以使用从mongo加载数据的方法来访问数据库文档Meteor.call(getUserData, "_jh9d3nd9sn3js"); .

So, how to avoid this situations, may be there is a better way to store server-only functions than in Meteor.methods({...}) ? 那么,如何避免这种情况,可能存在比Meteor.methods({...})更好的存储服务器功能的方法?

4 个解决方案

解决方案1
 5 已采纳  2015-08-28 08:41:07

Meteor methods are designed to be accessed from the client, if you don't want this, you just need to define a normal javascript function on the server. Meteor方法旨在从客户端访问,如果您不想这样,您只需要在服务器上定义一个普通的javascript函数。 A really basic example would be: 一个非常基本的例子是:

server/server.js : server/server.js 

someFunction = function(params) {
    console.log('hello');
}

As long as it's in the server folder, the function won't be accessible from the client. 只要它在服务器文件夹中,就无法从客户端访问该功能。

For coffeescript users, each file is technically a separate scope, so you would have to define a global variable with @ , eg 对于coffeescript用户,每个文件在技术上都是一个单独的范围,因此您必须使用@定义一个全局变量,例如 

@someFunction = (params) ->
    console.log 'hello'

or if you want to scope the function to a package: 或者如果要将函数范围限定为包: 

share.someFunction = (params) ->
    console.log 'hello'

If you have methods that need to be accessible from the client but only for say admin users, you need to add those checks at the start of the meteor method definition: 如果您的方法需要从客户端访问,但仅限于管理员用户,则需要在流星方法定义的开头添加这些检查: 

Meteor.methods({
    'someMethod': function(params) {
        var user = Meteor.user();
        if (user && (user.isAdmin === true)) {
            // Do something
        } else {
            throw new Meteor.Error(403, 'Forbidden');
        }
    }
});

I'm not going to vouch for the security of this example - it's just that, an example - but hopefully it gives you some idea of how you would secure your methods. 我不打算担保这个例子的安全性 - 这只是一个例子 - 但希望它可以让你知道如何保护你的方法。

EDIT: Noticed the other answers mention using a if (Meteor.isServer) { ... } conditional. 编辑:注意到使用if (Meteor.isServer) { ... }条件提及的其他答案。 Note that if you are doing this inside methods which are also accessible on the client, the user will be still be able to see your server code, even if they can't run it. 请注意,如果你正在做这里面的方法,这也是在客户端上访问,用户将仍然能够看到您的服务器代码,即使他们不能运行。 This may or may not be a security problem for you - basically be careful if you're hardcoding any 3rd-party API credentials or any kind of sensitive data in methods whose code can be accessed from the client. 这可能是也可能不是您的安全问题 - 如果您在可以从客户端访问其代码的方法中对任何第三方API凭据或任何类型的敏感数据进行硬编码,请务必小心。 If you don't need the method on the client, it would be better to just use normal JS functions. 如果您不需要客户端上的方法,那么最好只使用普通的JS函数。 If you're wrapping the whole Meteor.methods call with a isServer conditional, the code will be on the server only, but can still be called from the client. 如果您使用isServer条件包装整个Meteor.methods调用,则代码将仅在服务器上,但仍可从客户端调用。

解决方案2
 4  2015-08-28 10:17:57

as rightly stated in other answers, your methods will always be accessible from the client (per design). 正如在其他答案中正确陈述的那样,您的方法始终可以从客户端访问(按设计)。 yet, there is a simple workaround to check if the call originates from the client or from the server. 但是,有一个简单的解决方法来检查呼叫是来自客户端还是来自服务器。 if you do a 如果你做了 

if ( this.connection == null )

this will return true if the method was called from server. 如果从服务器调用该方法,则return true like that you can restrict the method body execution to 'secure' calls. 像这样你可以将方法体执行限制为'安全'调用。

解决方案3
 0  2015-08-28 08:35:12

I think this page explains it: http://meteortips.com/first-meteor-tutorial/methods/ 我想这个页面解释了它: http//meteortips.com/first-meteor-tutorial/methods/

I'm quoting: 我在引用:

"The safer approach is to move these functions to the isServer conditional, which means: “更安全的方法是将这些函数移动到isServer条件,这意味着:

Database code will execute within the trusted environment of the server. 数据库代码将在服务器的可信环境中执行。 Users won't be able to use these functions from inside the Console, since users don't have direct access to the server. 由于用户无法直接访问服务器,因此用户将无法在控制台内使用这些功能。

Inside the isServer conditional, write the following: 在isServer条件内,写下以下内容: 

Meteor.methods({
   // methods go here
});

This is the block of code we'll use to create our methods." 这是我们用来创建方法的代码块。“

and so on. 等等。 I hope this helps. 我希望这有帮助。

解决方案4
 0  2015-08-28 08:35:22

With proper app design, you shouldn't care whether a request was through the web UI or via something typed in a console window. 通过适当的应用程序设计,您无需关心请求是通过Web UI还是通过控制台窗口中输入的内容。

Basically, don't put generic, abuse worthy functions in Meteor.methods, implement reasonable access controls, and rate-limit and/or log anything that could be a problem. 基本上,不要在Meteor.methods中放置通用的,滥用有价值的函数,实现合理的访问控制,以及限制和/或记录任何可能存在问题的内容。

Any server-side function defined in Meteor.methods will have access to the current user id through this.userid . Meteor.methods中定义的任何服务器端函数都可以通过this.userid访问当前用户ID。 This userid is supplied by Meteor, not a client API parameter. 此用户标识由Meteor提供,而不是客户端API参数。

Since that Meteor Method server-side code knows the login status and userid, it can then do all the checking and rate limiting you want before deciding to do that thing that the user asked it to do. 由于Meteor Method服务器端代码知道登录状态和用户ID,因此它可以在决定执行用户要求执行的操作之前执行所需的所有检查和速率限制。

How do you rate limit? 你怎么率限制? I've not looked for a module for this lately. 我最近没有找到这个模块。 In basic Meteor you would add a Mongo collection for user actions accessible server-side only. 在基本Meteor中,您将为服务器端可访问的用户操作添加Mongo集合。 Insert timestamped, userid specific data on every request that arrives via a Meteor method. 在通过Meteor方法到达的每个请求上插入带时间戳,用户ID特定的数据。 Before fulfilling a request in the server method code, do a Mongo find for how many such actions occurred from this userid in a relevant period. 在完成服务器方法代码中的请求之前,请执行Mongo查找在相关时间段内从此用户ID发生的操作数量。 This is a little work and will generates some overhead, but the alternative of rate-limiting via a server-wide underscore-style debounce leaves a function open for both abuse and denial-of-service by an attacker. 这是一项小工作并且会产生一些开销,但是通过服务器范围的下划线式去抖的速率限制的替代方案留下了攻击者滥用和拒绝服务的功能。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我如何捕获并将Meteor.Error警报从Meteor.Methods插入客户端数据库? - how i catch and insert Meteor.Error alerts From Meteor.Methods in to a client side db? 如何防止用户使用express访问客户端html文件? - How prevent a user from accessing a client side html file with express? 我应该如何将“ es6 import”与来自客户端服务器或两者的高级方法Meteor软件包一起使用? - how should I used “es6 import” with advanced methods Meteor package from client server or both? 如何防止Meteor将集合中的所有文档发送给客户端? - How do I prevent Meteor from sending all documents in a collection to the client? 流星:使用HTTP.get从客户端访问网站(CORS错误) - Meteor: Accessing a website from the client with HTTP.get (CORS error) Meteor.methods:从内部回调返回数据到客户端 - Meteor.methods: return data to client from internal callbacks 阻止用户按角色查看Meteor客户端脚本 - Prevent users from seeing Meteor client script by role 如何防止流星重新渲染模板? - How to prevent meteor from rerendering a template? 如何在 Meteor 中将数据从客户端发送到服务器? - How to send data from client to server in Meteor? 如何在Meteor中将数据从服务器传递到客户端 - How to pass data from Server to Client in Meteor
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM