ES6导入的安全方面 - 在Meteor的客户端使用

Question

In the official Meteor guide it says;

Code that runs on the server can be trusted. Everything else: code that runs on the client, data sent through Method and publication arguments, etc, can't be trusted.

and also;

Secret business logic in your app should be located in code that is only loaded on the server. This means it is in a server/ directory of your app, in a package that is only included on the server, or in a file inside a package that was loaded only on the server.

Sensitive methods/algorithms etc. must be put in the server side. My first question is, how can we securely call a sensitive method lets say createUser() on the server-side from the client-side?

My second question; is there any difference between using Meteor.method and Validated-Method in terms of security? We don't need to use an import statement when calling a standard Meteor Method but we need to import it if we call a Validated-Method. For the same createUser() example, is better to define it in a Meteor Method for increased security?

Answer 1

In the official Meteor guide it says;

What Meteor guide want to say is:

Meteor is a full stack framework and solution to many product requirements can be done in many ways(allocation of code in server and client). Let's suppose that you wanna charge a client 20%, on every purchase of goods.

Solution 1: Charge 20% on client

Template.yourTemplate.events({
// ... other events
'click .buyme': function(event, template) {
   // Suppose you have product id in element's id attr
   let productId = event.target.id,
       product = Products.findOne({_id: productId}),
       charge = Math.ceil(product.price * 0.2);

   // Add a order
   Order.insert({
     charge,
     productId,
     userId: Meteor.userId()
   })
},
// ... other events
})

Solution 1: Charge 20% on server

Meteor.methods({
// ... other methods
'order': function(productId) {
   // Suppose you have product id in element's id attr
   let product = Products.findOne({_id: productId}),
       charge = Math.ceil(product.price * 0.2);

   // Add a order
   Order.insert({
     charge,
     productId,
     userId: Meteor.userId()
   })
},
// ... other methods
})

Call method from the server.

You must be clear now that we can not trust on solution 1, right?

is there any difference between using Meteor.method and Validated-Method in terms of security?

No, of course not. Please refer to https://github.com/meteor/validated-method to find out more about validated-methods. You will see that main difference between two is Metor.Methods depends on magic string to access methods, but validated-method in the other hands provide an object which is used to access the method. And, that is why we need to import instead of just Method.call() .