I'm actually creating my first app using meteor, in particular using angular 2. I've experience with Angular 1 and 2, so based on it. I've some points of concern...
Let's imagine this scenario...My data stored on MongoDb:
Collection: clients
{
name : "Happy client",
password : "Something non encrypted",
fullCrediCardNumber : "0000 0000 0000 0000"
}
Now, on my meteor client folder, I've this struncture...
collection clients.ts (server folder)
export var Clients = new Mongo.Collection('clients');
component client.ts (not server folder)
import {Clients} from '../collections/clients.ts';
class MyClients {
clients: Array<Object>;
constructor(zone: NgZone) {
this.clients = Clients.find();
}
}
..and for last: the html page to render it, but just display the name of the clients:
<li *ngFor="#item of clients">
{{client.name}}
</li>
Ok so far. but my concern is: In angular 1 & 2 applications the component or controller or directive runs on the client side, not server side.
I set my html just to show the name of the client. but since it's ah html rendering, probably with some skill is pretty easy to inject some code into the HTML render on angular to display all my fields.
Or could be easy to go to the console and type some commands to display the entire object from the database collection.
So, my question is: How safe meteor is in this sense ? Does my concerns correct ? Is meteor capable to protect my data , protect the name of the collections ? I know that I can specify on the find() to not bring me those sensitive data, but since the find() could be running not on the server side, it could be easy to modify it on the fly, no ?
Anyway...I will appreciate explanations about how meteor is safe (or not) in this sense.
ty !
You can protect data by simply not publishing any sensitive data on the server side.
Meteor.publish("my-clients", function () {
return Clients.find({
contractorId: this.userId // Publish only the current user's clients
}, {
name: 1, // Publish only the fields you want the browser to know of
phoneNumber: 1
});
});
This example only publishes the name and address fields of the currently logged in user's clients, but not their password or fullCreditCardNumber.
Another good example is the Meteor.users collection. On the server it contains all user data, login credentials, profiles etc. for all users. But it's also accessible on the client side. Meteor does two important things to protect this very sensitive collection:
By default it only publishes one document: the user that's logged in. If you type Meteor.users.find().fetch() into the browser console, you'll only see the currently logged in user's data, and there's no way on the client side to get the entire MongoDB users collection. The correct way to do this is to restrict the amount of published documents in your Meteor.publish function. See my example above, or 10.9 in the Meteor publish and subscribe tutorial.
Not the entire user document gets published. For example OAuth login credentials and password hashes aren't, you won't find them in the client-side collection. You can always choose which part of a document gets published, a simple way to do that is using MongoDB projections, like in the example above.
Related
In my Meteor app I get array of object from HTTP POSTand I would like to use data in another page I use Session set and Session get with out any problem expet Session will distroy upon page refresh there for I use some package like:smeevil:session-store & amplify to persist session and couple more but regarding data is big I get qouta exceed error is there anyway elese to prevent Session destroy of refresh or time outfor session?
all problem is from client side and browser console .there is nothing in server side
search_id:"3mlejmn7chmvvfweabjopfrsvm"
$$hashKey:"object:442"
address:"1216/1 Charoean Krung Road Bangkok 10500 Charoean Krung Road"
category:2.5
city_code:"C!000864"
country:"TH"
fullRate:7.19
geolocation:
latitude:13.725711
longitude:100.515984
__proto__:
Object
hotel_code:"H!0262688"
images:
main_image:"hotels/images/1a/a9/1aa9da341f7c3560f2d1f73e9bcbf67a7a45918c.jpg"
__proto__:
Object
name:"New Road Guest House"
rates:Array(14)[another arrays]
this is sample of data that return from http and each time its between 100 to 650 set of these information and if user want to change each parameter of search it will update and again new set of data will return and its not just 1 source for data but 3-4 source
mean while I try to define minimongo client side collection but it will be flash and empty after each browser refresh as well
PS: I use angular inside Meteor
Thanks for any idea
I am attempting to send back to the sever the user information from satellizer.
I believe the call is as per this url:
https://github.com/sahat/satellizer#authauthenticatename-userdata
$auth.authenticate(name, [userData])
However when I use it :
$auth.authenticate('facebook', ['userData'])
my sever receives :
{ '0': 'userData',
code: 'AQB8ofHRuC',
clientId: '1625070294abcdef',
redirectUri: 'http://localhost:3000/' }
instead of actually receiving the userData.. what am i missing here ?
[userdata] is a kind of custom data, this means that you can put in it your data (some values). When you put $auth.authenticate('facebook', ['userData']) you put an array with one string element 'userData'. I think that it make sens to grab info on server by uid.
UPDATE
I found recent a link
https://github.com/sahat/satellizer/blob/master/examples/server/node/server.js#L537. You can translate node js code in your server programming language code.
I've been going through the rules guide but haven't found an answer to this.
App users are able to submit "scores" of different types, which are then processed in JS and written to a "ranking" node. I have it set up so that every time a new score is submitted, the rankings are automatically recalculated and a new child is written if the user doesn't exist or updated if the user exists.
My question is how to secure this "ranking" node. Everyone should be able to read it, nobody except the system should be able to write it. This would prevent people from submitting their own rankings and aggregate scores.
EDIT
This is the operation:
Ref.child('rankings').child(uid).once('value', function (snapshot) {
if (snapshot.exists()) {
snapshot.ref().update(user); //user object created upstream
} else {
var payload = {};
payload[uid] = user;
snapshot.ref().parent().update(payload);
}
});
How would I add custom authentication to this call? Also, since I'm using AngularJS, is there any way to hide this custom token or would I have to route it through a backend server?
The key part of your problem definition is:
only the system should be able to write it.
This requires that you are able to recognize "the system" in your security rules. Since Firebase security is user-based, you'll have to make your "system" into a user. You can do this by either recording the uid from a regular user account or by minting a custom token for your "system".
Once you have that, the security for your ranking node becomes:
".read": true,
".write": "auth.uid == 'thesystem'"
In the above I assume you mint a custom token and specify thesystem as the uid.
Let's assume we create a new model class an instanciate a person using it:
var User = Backbone.Model.extend({
urlRoot: '/user'
});
var nou = new User({
name: "nourdine"
});
Now, of course, we want to persist it. Not having added an id backbone will create a POST request and communicate the server the intention to create an entity under /user containing the data {name: "nourdine"}. Here's how we do it:
nou.save(null, {
success: function (model, response, options) {
// ... what do I do here?
}
})
The server will now create a record in the db containing the JSON data rearranged in some form and assign an ID to it. NOW:
1 - What is the server suppose to return in the HTTP response? A JSON containing the JSON provided by the clinet + the newly created fields, namely the ID of the new record?
2 - who is going to update the model in the client with these data? Me? Matter of fact I would like to tell the model in the client that a new ID has been assign to it by the server so that the next time I do user.save() I will obtain a PUT rather than a POST. But who is supposed to update the model in the client?
Thanks
so this is my work flow for this
client -> create model and populate with data
client -> save model (model.save())
server -> create server side version of model using data, assign an id
server -> respond with success and the id of the newly created model
client -> in the success set the id to the one passed back
now the only potential issue i have with my work flow is if something did not get set in the server successfully but the model was still created, my client model would not reflect that of the server anymore, but i minimize this by returning error if the model could not be created exactly as passed.
And now i am able to call model.save() again this time having the id so initiating a PUT request
From the documentation to a Backbone.Model
After a successful server-side save, the client is (optionally) updated with the server-side state.
So if you return a valid JSON your model will be updated automatically
I am using iOS 6 Social framework for accessing user's Facebook data. I am trying to get likes of the current user within my app using ACAccount and SLRequest. I have a valid Facebook account reference of type ACAccount named facebook, and I'm trying to get user's likes this way:
SLRequest *req = [SLRequest requestForServiceType:SLServiceTypeFacebook requestMethod:SLRequestMethodGET URL:url parameters:nil];
req.account = facebook;
[req performRequestWithHandler:^(NSData *responseData, NSHTTPURLResponse *urlResponse, NSError *error) {
//my handler code.
}
where url is #"https://graph.facebook.com/me/likes?fields=name"; In my handler, I'm getting this response:
{
error = {
code = 2500;
message = "An active access token must be used to query information about the current user.";
type = OAuthException;
};
}
Shouldn't access tokens be handled by the framework? I've found a similar post Querying Facebook user data through new iOS6 social framework but it doesn't make sense to hard-code an access token parameter into the URL, as logically the access token/login checking should be handled automatically by the framework. In all examples that I've seen around no one plays with an access token manually:
http://damir.me/posts/facebook-authentication-in-ios-6
iOS 6 Facebook posting procedure ends up with "remote_app_id does not match stored id" error
etc.
I am using the iOS6-only approach with the built in Social framework, and I'm not using the Facebook SDK. Am I missing something?
Thanks,
Can.
You need to keep a strong reference to the ACAccountStore that the account comes from. If the store gets deallocated, it looks like it causes this problem.
Try running on an actual device instead of a simulator. This worked for me.
Ensure that your bundle id is input into your Facebook app's configuration. You might have a different bundle id for your dev/debug build.