There are multiple ways for entering the Meteor application

      • Meteor Methods RPC
      • Meteor Subscribe
      • Meteor WebApp
      • Customisation of meteor via Express/Restivus etc.

Here I will be discussing a common problem that we face.

      1. Authorisation for each RPC and Subscribe.
      2. Whitelist of system is default in Meteor.
      3. Developer may miss on the Authorisation.
      4. Code review is tougher to scan in multiple files for authorisation.

The cross cutting concerns across the application calls for a single point of authentication as well as authorisation. This can also be extended for:

      1. Logging.
      2. Performance monitoring.
      3. Request sanitisation etc.

Extend Meteor Methods and Publish Framework

security.js

    let authMethodConfig = {  
      'addEmployee' : ['director']
    }
    let authPublishConfig = {  
     'getEmployee' : ['director']
    }

    // get the user and check his role and permissions for RPC
    function authCheckMethod(methodName, user) {  
      let role = user ? user.role : 'guest'
      if(!(_.contains(authMethodConfig[methodName], role))){
        throw new Meteor.Error("unauthorized", "The user is not authorized");
      }
    }

    // get the user and check his role and permissions then allow him subscribe
    function authCheckPublish(publishName, userId) {  
      let user = Meteor.users.findOne({_id:userId}, {role: 1})
      let role = user ? user.role : 'guest'
      if(!(_.contains(authPublishCongig[publishName], role))){
        throw new Meteor.Error("unauthorized", "The user is not authorized");
      }
    }

    let oldMeteorMethods = Meteor.methods  
    Meteor.methods = function(methods) {  
      _.each(methods, function(func, name) {
        let newfunc = function(...args) {
          let user = Meteor.user()
          authCheckMethod(name,user)
          return func.apply(this, arguments)
        }
        let obj = {}
        obj[name] = newfunc
        oldMeteorMethods(obj)
      })
    }

    let oldMeteorPublish = Meteor.publish  
    Meteor.publish = function(name, handler, options) {  
      let newHandler = function(...args) {
        let userId = this.userId
        let self = this
        authCheckPublish(name,userId)
        return handler.apply(this, arguments)
      }
      oldMeteorPublish(name, newHandler, options)
    }

With the above code, we have introduced an additional layer of security and each method or publish information is blacklisted by default, unless we specify which role has access.

The above security.js should be part of Meteor startup folder (or one of the earliest loaded files).

Faiz

CEO, NeoITO, Serial entrepreneur and investor. He writes about technology, startups, and entrepreneurship. When not working, Faiz can be seen playing soccer with his friends.

Subscribe to our newsletter

Submit your email to get all the top blogs, insights and guidance your business needs to succeed!

"*" indicates required fields

Name
This field is for validation purposes and should be left unchanged.

Related Blogs

FAQs on startup product development
8 min read - Sep 26, 2022

20 Product Development FAQs to Remember in 2023

These handpicked FAQs are expert answers to the most prominent questions in the minds of entrepreneurs.

Gokul

Posts by this author
9 min read - Mar 21, 2022

Top 10 Agile Estimation Techniques for Software Projects

Agile planning has been better planning for software projects. Learn about 10 agile estimation techniques and find out which suits...

Karthika G L

Posts by this author
6 min read - Dec 07, 2020

A Step-by-Step Guide to Build a Minimum Viable Product (MVP)

An MVP is the best way to understand your product’s market need. And this blog will guide you on how...

Abhirami

Posts by this author
Let’s Talk

Start your digital transformation Journey with us now!

Waitwhile has seen tremendous growth scaling our revenues by 5X and tripling our number of paid customers.

Christoffer Klemming
Founder & CEO at Waitwhile

Back to Top