我是否需要将createUser代码放入流星方法中？

Question

I'm writing a meteor app and working on my user registration template.

Currently I have the following code, imported on the client:

Template.register.events({
  'submit form': function(event){
    event.preventDefault();
    let username = $('[id=input-username').val();
    let email = $('[id=input-email]').val();
    let password = $('[id=input-password]').val();
    Accounts.createUser({
      username: username,
      email: email,
      password: password
    }, function(error){
      if(error){
        Bert.alert( "That username or email is either taken or invalid. Try again.", 'danger', 'growl-top-right' );
        // console.log(error.reason);
      }
      else {
        FlowRouter.go('mainLayout');
      }
    });
  }
});

My question is, is it ok to have the Accounts.createUser code on the client or do I need to call this from a meteor method imported on the server? In my head I'm thinking a user can register as many times as they like with different emails / usernames therefore what's the harm in having the code on the client vs making a call to the server.

Thoughts welcome.

Answer 1

CreateUser is designed to be used from the client. It handles the encryption of the password before it is sent to the server.

Answer 2

You can do validations at client side to save time but ideally you should write the code in meteor method on server side and call it on client side via Meteor.call(). In your case I can simply add users using chrome console and can loop it to million times to add random stuff in your db. Csrf attacks are mostly welcome this way. You should also specify collections.allow() and collections.deny() when you are defining a new Mongo.Collection(). Also you should remove autopublish and insecure package from meteor project.