Accessing to DB at client side as in server side with meteor

Question

I read this at the docs:

Database Everywhere. Use the same transparent API to access your database from the client or the server.

This is great, but I think there are some security issues. Providing full and transparent access to the database at client side you are exposed to bad users, which modify you JS code (it's really at his browser and he can do it) and add any database action that could retrieve/remove/update data that perhaps could be sensible.

Please, correct me if I'm wrong. Thanks!

I thought this too, "A full database API on the client" <- no one in their right mind would put that into production as it's currently described. The meteor project need to reiterate what they mean by this, or take a step back and think, is this REALLY a good idea for a production environment? Hopefully they meant it purely for development. — Sam Giles, Apr 11 '12 at 17:56

score 5 · Accepted Answer · edited May 23 '17 at 12:23

5

You are correct. The developers are currently working on Auth and security concerns. As of now everything is open and great for creating prototypes and test apps however they are vulnerable to users retrieve/remove/update data as they like.

See the developer response to this question here: Link

edited May 23 '17 at 12:23

Community

1
1

answered Apr 11 '12 at 18:01

JB belcherj

171
7

Link has been removed. – kmkemp Mar 27 '14 at 22:53

score 3 · Answer 2 · answered Dec 14 '12 at 01:16

3

Meteor now includes restrictions on client database writes (allow and deny) and a complete user accounts system.

answered Dec 14 '12 at 01:16

debergalis

11,870
2
49
43

score 2 · Answer 3 · answered Jun 20 '13 at 15:52

2

Secure your app by removing the insecure and autopublish packages:

meteor remove insecure autopublish

answered Jun 20 '13 at 15:52

Jason Prawn

1,003
11
20

Accessing to DB at client side as in server side with meteor

3 Answers3

Linked