[英]Security aspects of ES6 Import - Using on the client side of Meteor
In the official Meteor guide it says; 在官方的流星指南中,它说;
Code that runs on the server can be trusted. 可以信任在服务器上运行的代码。 Everything else: code that runs on the client, data sent through Method and publication arguments, etc, can't be trusted. 其他一切:在客户端上运行的代码,通过Method和发布参数发送的数据等都不可信任。
and also; 并且;
Secret business logic in your app should be located in code that is only loaded on the server. 应用程序中的秘密业务逻辑应位于仅加载到服务器上的代码中。 This means it is in a server/ directory of your app, in a package that is only included on the server, or in a file inside a package that was loaded only on the server. 这意味着它位于应用程序的服务器/目录中,仅包含在服务器上的程序包中,或者位于仅在服务器上加载的程序包内的文件中。
Sensitive methods/algorithms etc. must be put in the server side. 必须在服务器端放置敏感的方法/算法等。 My first question is, how can we securely call a sensitive method lets say createUser() on the server-side from the client-side? 我的第一个问题是,我们如何安全地调用敏感方法让我们在服务器端从客户端说出createUser() ?
My second question; 我的第二个问题; is there any difference between using Meteor.method and Validated-Method in terms of security? 在安全性方面使用Meteor.method和Validated-Method有什么区别吗? We don't need to use an import statement when calling a standard Meteor Method but we need to import it if we call a Validated-Method. 调用标准Meteor方法时我们不需要使用import语句,但如果我们调用Validated-Method,我们需要导入它。 For the same createUser() example, is better to define it in a Meteor Method for increased security? 对于相同的createUser()示例,最好在Meteor方法中定义它以提高安全性?
In the official Meteor guide it says; 在官方的流星指南中,它说;
What Meteor guide want to say is: 流星指南想要说的是:
Meteor is a full stack framework and solution to many product requirements can be done in many ways(allocation of code in server and client). Meteor是一个完整的堆栈框架,许多产品需求的解决方案可以通过多种方式完成(在服务器和客户端中分配代码)。 Let's suppose that you wanna charge a client 20%, on every purchase of goods. 假设您想在每次购买商品时向客户收取20%的费用。
Solution 1: Charge 20% on client 解决方案1:在客户端收取20%的费用
Template.yourTemplate.events({
// ... other events
'click .buyme': function(event, template) {
// Suppose you have product id in element's id attr
let productId = event.target.id,
product = Products.findOne({_id: productId}),
charge = Math.ceil(product.price * 0.2);
// Add a order
Order.insert({
charge,
productId,
userId: Meteor.userId()
})
},
// ... other events
})
Solution 1: Charge 20% on server 解决方案1:在服务器上充电20%
Meteor.methods({
// ... other methods
'order': function(productId) {
// Suppose you have product id in element's id attr
let product = Products.findOne({_id: productId}),
charge = Math.ceil(product.price * 0.2);
// Add a order
Order.insert({
charge,
productId,
userId: Meteor.userId()
})
},
// ... other methods
})
Call method from the server. 从服务器调用方法。
You must be clear now that we can not trust on solution 1, right? 你现在必须清楚我们不能相信解决方案1,对吗?
is there any difference between using Meteor.method and Validated-Method in terms of security? 在安全性方面使用Meteor.method和Validated-Method有什么区别吗?
No, of course not. 不,当然不。 Please refer to https://github.com/meteor/validated-method to find out more about validated-methods. 请参阅https://github.com/meteor/validated-method以了解有关验证方法的更多信息。 You will see that main difference between two is Metor.Methods
depends on magic string to access methods, but validated-method
in the other hands provide an object which is used to access the method. 您将看到两者之间的主要区别是Metor.Methods
依赖于魔术字符串来访问方法,但另一方面validated-method
提供了一个用于访问该方法的对象。 And, that is why we need to import instead of just Method.call()
. 而且,这就是我们需要导入而不仅仅是Method.call()
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.