meteor flow-router placement/security

Question

i have a question regarding flow router on meteor. in the new project structure for meteor, all files are suggested to be kept in the "imports folder" and be imported to either the server folder or client folder. in the tutorials i have seen that use flow router, there was no imports folder and the routes folder with the js file in it was kept right under the project folder. that raises a few questions for me.

1. where does the flow router code run? on the client? on the server? on both?
2. if it runs on both, should i leave it outside the imports folder?
3. if it runs on both/only on the client, what does that mean security-wise? say i don't want a certain user to be able to access a certain page, so in the flow-router action() i write a code that prevents people from reaching where i don't want them, can't they just change this code on the client and bypass the wall?
4. when referring to a user on the flow-router js file, do i use Meteor.userId() or this.userId?.
5. i have three functions written inside if(Meteor.isClient) which i copied from a tutorial. the functions are Accounts.onLogin, Accounts.onLogout, FlowRouter.tringgers.enter. can a user hack through them since they are on the client?

thanks in advance!

Answer 1

1. From the documentation:

Flow Router is a client side router and it does not have Server Side Routing capability. It has no plans to implement such features either.

so Flow Router runs on the client only and you should put the related code in /imports/startup/client

2. See (1). Generally, all your code should be placed in the imports directory.

   Meteor ensures that any file in any directory named server/ will only be available on the server, and likewise for files in any directory named client/

So if you want to have some code accessible to both the client and the server don't place it in any subdirectories named /client or /server.

3. Although previously, with Iron Router, authentication was done in the router layer, with Flow Router you should write the auth logic in the template/component layer. Writing code in the flow router action() that prevents users from accessing a page is not a good pattern, according to the creator of Flow Router. Read here for examples and more details.

In server-rendered apps(in the PHP era), if there is an unauthorized access, we can redirect the user to a login page or some other page. In Meteor, or in any single-page app, we can simply show a login screen to the user instead of redirecting them to another page. Or else, we can simply say: "You are not allowed to view this page."

4. Same as in (3). You shouldn't refer to a user in the router layer.

5. Any code that runs on the client is not safe from a malicious user.

You may find the following useful:

• Meteor guide application structure
• Routing Guide for Meteor Apps (with Flow Router)
• The example app "Todos", written following the Meteor Guide