Meteor - how to securely store and access settings.json variable on the client-side?

Question

I am trying to access a secretKey on the client side of Meteor. I know that using Meteor.settings ( http://docs.meteor.com/#/full/meteor_settings ) seems to be the best way to access secrets.

My settings.json looks something like this:

{
  "public": {
    "secretKey": "topsecret!"
  }
}

I need to access secretKey on client-side javascript. However, when I go to the browser and in the console I can simply type in Meteor.settings.public.secretKey and the key would be right there!

Is there a better way for me to store and access this secret key on the client-side?

Answer 1

If you want to access private stuff from within the client, you must perform some basic permission handling with user accounts.

Meteor.methods({
  getSecretKey: function(){
    var user = Meteor.users.findOne(this.userId);
    if(!user){
      throw new Meteor.Error("login-error", "You must be logged in.");
    }
    if(!Roles.userIsInRole(user, "admin")){
      throw new Meteor.Error("admin-error", "You must be an admin.");
    }
    return Meteor.settings.secretKey;
  }
});

This pseudo-code is using a method to retrieve the secret key from the client and alanning:roles to perform a simple user role check.