1

i have question about security in meteor.js.

As we know the /client side is for browser and is accessible by users.

I am trying to make a small game but i am not sure how to secure it from modifications.

I would like to have "shop" array like for example

var shopItems = [
    ['soup', 100$]
];

But its not much secure because user can edit the price of the soup right?

So ... what now?

The only thing comes to my mind is store it in DB but that doesn't seems nice.

Thx for help and suggestions!

Lukas Lukac
  • 7,766
  • 10
  • 65
  • 75
  • possible duplicate of [How do you secure the client side MongoDB API?](http://stackoverflow.com/questions/10115042/how-do-you-secure-the-client-side-mongodb-api) – Andrew Mao Aug 03 '13 at 16:07
  • and possible duplicate of http://stackoverflow.com/q/10451497/586086 – Andrew Mao Aug 03 '13 at 16:08
  • and possible duplicate of http://stackoverflow.com/q/10110743/586086 – Andrew Mao Aug 03 '13 at 16:09
  • Sigh. Why doesn't SO allow multiple duplicate links to be posted now? – Andrew Mao Aug 03 '13 at 16:09
  • @AndrewMao all these links are just about one thing... securing access to collections... update/insert etc... I am not asking about that. – Lukas Lukac Aug 03 '13 at 16:45
  • This is all done through Meteor's Collection API. Specifically, you can define `Meteor.methods` that run on both the server and client and respect whatever permissions you set or conditions you check for. Please try to understand the API a bit more carefully. – Andrew Mao Aug 04 '13 at 05:15
  • please check the "answer" for this question to see what i had in mind. – Lukas Lukac Aug 04 '13 at 07:08

1 Answers1

0

Just as you're saying, data stored on the client can be changed unconditionally by the users (if they are evil enough). If you want to restrict the changes the users may do, you have to store the data on the server, and all changes to this data must go via the server, so you can validate if they are legal or not.

The easiest way to do this in Meteor is by using Collections.

Peppe L-G
  • 7,351
  • 2
  • 25
  • 50
  • Yes exactly this is it, what i am talking about... i just wanted to make sure myself...so in my shop example.. the best way would be create a collection for it and store it there yea? – Lukas Lukac Aug 03 '13 at 18:44
  • To me, that sounds like the best (easiest) way. When the client wants to buy an item, he notifies the server about it, and the server then checks if the user affords it, and if he does the server adds the item to the user and subtracts the price from the amount of money the user have. – Peppe L-G Aug 03 '13 at 19:28
  • yes that was the planned the question i asked because i was not sure if there is better option because this "trick" i will use more often. Okay so marking as "answer". Thx anyway and have a nice day. – Lukas Lukac Aug 03 '13 at 19:33