Securing access to collection from the client's side

Question

I have a meteor app prototype that works well, but is very insecure as of now: I needed to display a list of matching users to the currently logged-in user. For starters, I decided to publish all users, limiting the fields to what I would need to filter the user list on the client side.

Meteor.publish('users', function () {
  return Meteor.users.find({}, {
    fields: {
      'profile.picture': 1,
      'profile.likes': 1,
      'profile.friends': 1,
      'profile.type': 1
    }
  });
});

Then in my router, I would do a request to only show what I wanted on the client side:

Router.map(function() {
  this.route('usersList', {
    path: '/users',
    waitOn: function () {
      return Meteor.subscribe('users');
    },
    data: function () {
      var user = Meteor.user();
      return {
        users: Meteor.users.find({ $and: [
            {_id: {$ne : user._id}},
            {'profile.type': user.profile.interest}
          ]})
      };
    }
  });
});

In the code above, I query all users who are not the current user and whose type correspond the current user's interest. I also display a certain border on the photos of users who have my user in their "profile.friends" array, using this client helper:

Template.userItem.helpers({
  getClass: function(userId) {
    var user = Meteor.user();
    var lookedup = Meteor.users.findOne({_id: userId});
    if ($.inArray(user._id, lookedup.profile.friends) !== -1)
      return "yes";
    return "no";
  }
});

Now this all worked great, but with this setup, every client can query every users and get their type, picture, list of friends and number of likes. If I was in an MVC, this info would only be accessible on server side. So I decided my next iteration to be a security one. I would move my query from the router file to the publications file. That's where trouble began...

Meteor.publish('users', function () {
  var user = Meteor.users.findOne({_id: this.userId});
  var interest =  user.profile.interest;
  // retrieve all users, with their friends for now
  allUsers = Meteor.users.find({ $and: [
      {'_id': {$ne: user._id}},
      {'profile.type':interest}
    ]},
    { fields: {'profile.picture': 1, 'profile.friends': 1}}
  );
  return allUsers;
});

And in the router:

Router.map(function() {
  this.route('usersList', {
    path: '/users',
    waitOn: function () {
      return Meteor.subscribe('users');
    },
    data: function () {
      var user = Meteor.user();
      return {users: Meteor.users.find({_id: {$ne : user._id}})};
    }
  });
});

(note that I still need to exclude the current user from the router query since the current user is always fully published)

This works, but:

the user list does not get updated when I change the user interest and then do a Router.go('usersList'). Only when I refresh the browser, my list is updated according to the user's new interest. No idea why.
this solution still publishes the users' friends in order to display my matching borders. I wish to add a temporary field in my publish query, setting it to "yes" if the user is in the user's friends and "no" otherwise, but... no success so far. I read I could use aggregate to maybe achieve that but haven't managed to so far. Also, aggregate doesn't return a cursor which is what is expected from a publication.

This problem makes me doubt about the praises about meteor being suitable for secure apps... This would be so easy to achieve in Rails or others!

EDIT: As requested, here is the code I have so far for the transition of my "matching" check to the server:

Meteor.publish('users', function () {
  var user = Meteor.users.findOne({_id: this.userId});
  var interest =  user.profile.interest;
  // retrieve all users, with their friends for now
  allUsers = Meteor.users.find({ $and: [
      {'_id': {$ne: user._id}},
      {'profile.type':interest}
    ]},
    { fields: {'profile.picture': 1, 'profile.friends': 1}}
  );
  // ------------- ADDED ---------------
  allUsers.forEach(function (lookedup) {
    if (_.contains(lookedup.profile.friends, user._id))
      lookedup.profile.relation = "yes";
    else
        lookedup.profile.relation = "no";
    lookedup.profile.friends = undefined;
    return lookedup;
  });
  // ------------- END ---------------
  return allUsers;
});

Obviously this code doesn't work at all, since I cannot modify cursor values in a foreach loop. But it gives an idea of what I want to achieve: give a way to the client to know if a friend is matched or not, without giving access to the friend lists of all users to the client. (and also, avoiding having to do one request per each user during display to ask the server if this specific user matches this specific one)

1. is expected behavior since the publish code on the server is non-reactive. This blog post will probably help you there: https://www.discovermeteor.com/blog/reactive-joins-in-meteor/ 2. Should not be too hard to implement. I think it is a good idea to check whether a user is in the current user's friends list instead of the other way around (in case friendships are two-way). Can you maybe post the code you tried? — Tobias, Jul 15 '14 at 09:02
For 2. it's actually a "matching" system that I simplified for the sake of clarity (question is complicated enough I think). So I need to check if the user is in the other users friends, without giving him access to the entire list of friends of this user. I did not really "try" something that I thought would work, but just iterated through. I'll put the code anyway ;) — SylvainB, Jul 15 '14 at 09:14

score 0 · Answer 1 · answered Jul 17 '14 at 10:02

0

You can add a transform function and modify a cursor docs on the fly meteor Collection.find

answered Jul 17 '14 at 10:02

Roman

215
1
2
10

Securing access to collection from the client's side

1 Answers1

Linked