Meteor – How safe it is?

I’m actually creating my first app using meteor, in particular using angular 2. I’ve experience with Angular 1 and 2, so based on it. I’ve some points of concern…

Let’s imagine this scenario…My data stored on MongoDb:

Collection: clients

 name : "Happy client",
 password : "Something non encrypted",
 fullCrediCardNumber : "0000 0000 0000 0000"

Now, on my meteor client folder, I’ve this struncture…

collection clients.ts (server folder)

export var Clients = new Mongo.Collection('clients');

component client.ts (not server folder)

import {Clients} from '../collections/clients.ts';

class MyClients {
clients: Array<Object>;
constructor(zone: NgZone) {
    this.clients = Clients.find();

..and for last: the html page to render it, but just display the name of the clients:

<li *ngFor="#item of clients">

Ok so far. but my concern is: In angular 1 & 2 applications the component or controller or directive runs on the client side, not server side.

I set my html just to show the name of the client. but since it’s ah html rendering, probably with some skill is pretty easy to inject some code into the HTML render on angular to display all my fields.

Or could be easy to go to the console and type some commands to display the entire object from the database collection.

So, my question is: How safe meteor is in this sense ? Does my concerns correct ? Is meteor capable to protect my data , protect the name of the collections ? I know that I can specify on the find() to not bring me those sensitive data, but since the find() could be running not on the server side, it could be easy to modify it on the fly, no ?

Anyway…I will appreciate explanations about how meteor is safe (or not) in this sense.

ty !

Leave a Reply

1 Comment threads
0 Thread replies
Most reacted comment
Hottest comment thread
1 Comment authors
Jason Recent comment authors
newest oldest most voted
Notify of

You can protect data by simply not publishing any sensitive data on the server side. Meteor.publish("my-clients", function () { return Clients.find({ contractorId: this.userId // Publish only the current user's clients }, { name: 1, // Publish only the fields you want the browser to know of phoneNumber: 1 }); }); This example only publishes the name and address fields of the currently logged in user’s clients, but not their password or fullCreditCardNumber. Another good example is the Meteor.users collection. On the server it contains all user data, login credentials, profiles etc. for all users. But it’s also accessible on the… Read more »