0

I am building an app in meteor in which one of the pages is visible to user only if the user is logged in. The link to the page is in the navigation header and I want a login dialog to be displayed when the user clicks on the link without logging in. Here is the code for showing the dialog : 

<template name="header">
 <a href="#" id="createPost">Create Post</a>
</template>

Template.header.events({
   "click #createPost": function (evt) {
       evt.preventDefault();
       if(!Meteor.user()) {
           $('#myModal').modal("show"); //bootstrap modal dialog
       }else{
           Router.go('/createPost');
       }
   }
}

However, the problem is that Meteor.user() check can easily be bypassed from browser console using Meteor.user = function(){return true;}

I tried checking Meteor.user() in the route and throwing an exception as follows :

  Router.route('/createPost', function () {
        if (!Meteor.user()) {
            throw new Meteor.Error(500, 'You are not logged in.');
        }
        this.render('newbag');
    });

But this check also doesn't work once Meteor.user has been modified in the browser. What is the best way to handle this case and preventing the page from being displayed.

vjain27
  • 3,514
  • 9
  • 41
  • 60
  • You probably don't need to stop the user from seeing the "create post" page, you just need to stop the user from using it to create a post. That means authorization in your method (or allow/deny rules). Even if they can't see the "create post" page, if there's no authorization on the method, they could still create a post by calling the method manually. – user3374348 Jul 31 '15 at 15:17

2 Answers2

3

There is no way to ensure that a client won't see a given page.

Even if you do put up a lot of tricks in the end the client is receiving all the templates and he can still access it, be it with his browser console or through more advanced tricks.

What you want is prevent the user from seeing and manipulating data, which is a validation that must be done server-side for security, and can be done client-side for a better feel for the user.
For example, in a publication:

Meteor.publish('userData', function() {
  if(!this.userId) {
    throw new Meteor.Error('user not logged-in');
  }
  //...
});

What you must ensure is that in a normal, legal use of your application, everything runs fine, the client sees what he can see and is prompted for what he needs to be prompted (here, "Please log in").

If the client is trying to screw up, let him get his page broken.

Kyll
  • 7,036
  • 7
  • 41
  • 64
  • 1
    Yup. You *could* do method calls to the server (where user's authenticity cannot be spoofed) every time you *really* don't want the user to see some static template, but I don't know many JS apps that go to such an extent. And even in that case, I think users can overwrite method definition on the client side. Anyway, all this just adds complexity as well as an illusion of security. – SylvainB Jul 31 '15 at 15:22
0

I agree with the other answers: if you really want to lock down an application, then you'll need to do consider server-side controls as well.

For apps that require less security, I generally do something similar to your code using iron-router:

Router.route('/', {
    name: 'home',
    template: 'home',
    onBeforeAction: function(){
     var currentUser = Meteor.userId();
     if(currentUser){
         this.next();
     } else {
         this.render("login");
     }
   }
});

I tested with your hack on the console and it reliably keeps redirecting to 'login', but the login screen itself (I am using accounts-ui and accounts-password) then breaks, as you cannot log out the Null user.

ProgHog231
  • 1