2

In Meteor we put all sensitive code in /server and browser code in /client. Meteor then automatically compiles and minifies all /client side code for us. Thanks Meteor.

However, I'm using https://github.com/alanning/meteor-roles to manage content by user roles. One of those roles is an administrator and I have a client side scripts for use only by that user eg: /client/admin-only/**.js. All code in those scripts checks the user is an administrator and only calls the server to do sensitive tasks, but I don't want anyone but an adminstrator to be able to even see that code.

What I want to ensure is that these client admin JS files are only downloaded to users who are actual administrators and not included in the auto-compiled/minified JS created by Meteor.

Is there any way to setup Meteor to generate 2 versions of it's client JS - One for normal users and one for administrators - and only download those files based on user role?

Daniel Flippance
  • 7,734
  • 5
  • 42
  • 55
  • 2
    Nope. If seeing the code w/o any of the published data is actually that much of a concern, you'll need to bundle it into a separate app. – David Weldon Feb 05 '16 at 19:42
  • What kind of code are we taking about? For the same of security wouldn't it be better to define it on server and never exclude to the client? Especially the privilege checks. – pikausp Feb 05 '16 at 23:04
  • Exactly, that's what I'm doing but you still need some script on the client. That's the script I want to hide. – Daniel Flippance Feb 05 '16 at 23:23

1 Answers1

0

The Meteor Guide addresses this issue:

While the client-side code of your application is necessarily accessible by the browser, every application will have some secret code on the server that you don’t want to share with the world. Secret business logic in your app should be located in code that is only loaded on the server. This means it is in a server/ directory of your app, in a package that is only included on the server, or in a file inside a package that was loaded only on the server.

Basically, MDG's guidance is to dumb down that admin view as much as possible. If that's not acceptable, you'll need to have it bundled in a separate Meteor application on either an internally accessible network only, or by using two MongoDB instances so you can separate authentication out for the second app.

Community
  • 1
  • 1
Stephen Woods
  • 4,049
  • 1
  • 16
  • 27