Meteor.userId是可变的 [英] Meteor.userId is changeable
问题描述
使用Meteor,我发现即使删除了不安全的软件包,客户端也可以更改Meteor.userId函数。例如,
Playing around with Meteor, I have found that even with the insecure package removed, the client can change the Meteor.userId function. For example,
Meteor.userId=function() {return "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"}
可以使用 Meteor.default_connection.userId()(重定向功能)。我如何确保这一点?
as can be done with Meteor.default_connection.userId() (the redirected function). How do I secure this?
推荐答案
这是一个很好的问题,因为它显示了Meteor安全模型的工作原理。
This is a great question because it shows how the Meteor security model works.
此处没有安全问题,因为Meteor 从不信任客户端代码。
There's no security issue here because Meteor never trusts the client code.
仅在Meteor中服务器决定每个客户端有权访问哪些数据(请参阅 Meteor.publish )以及每个客户端的数据允许更改(请参阅 Meteor.allow )。当客户端向服务器进行身份验证时,服务器会存储用户的ID。在该客户端注销之前,它会将该ID提供给服务器上的 Meteor.publish 和 Meteor.allow 函数。 userId 。
In Meteor, only the server decides what data each client has access to (see Meteor.publish) and what data each client is allowed to change (see Meteor.allow). When a client authenticates to the server, the server stores the user's ID. Until that client logs out, it provides that ID to your Meteor.publish and Meteor.allow functions on the server as userId.
Meteor还会在客户端上发送用户ID,因为您当然想要更改客户端的行为和屏幕上的内容基于谁登录。正如您所说,我们无法阻止恶意客户端随意更改其任何JavaScript代码以更改其认为的用户ID!但这样做并没有给客户端任何新的权限,因为它仍然只是作出安全决策的服务器代码。
Meteor also sends the user ID down on the client, because of course you want to change how the client behaves and what's on the screen based on who is logged in. And as you say, we can't stop a rogue client from arbitrarily changing any of its JavaScript code to change what it thinks the user ID is! But doing that doesn't give the client any new permissions, because it's still only the server code that makes the security decisions.
你可以使用安全方来试试这个申请:
You can try this out using the secure parties application:
- 使用
$ meteor create - 示例派对制作派对应用 - 创建一个用户帐户并双击地图以创建一个聚会。选中此框以使其成为私人聚会。
- 打开JavaScript控制台并输入
Meteor.userId()以获取您的用户s ID。 - 退出。派对将从屏幕上消失,因为服务器不会将其发布给任何其他用户。
- 现在,进入控制台并覆盖
Meteor.userId()使用新功能返回您想要的ID。
- Make a parties app with
$ meteor create --example parties - Create a user account and double click on the map to create a party. Check the box to make it a private party.
- Open the JavaScript console and type
Meteor.userId()to get your user`s ID. - Log out. The party will disappear from the screen because the server won't publish it to any other user.
- Now, go into the console and overwrite
Meteor.userId()with a new function that returns the ID you want.
所以现在你把客户端伪造成认为这是你的用户。但服务器知道的更好。屏幕上仍然没有派对,您无法更新派对集合以更改该派对信息。
So now you've faked the client to think that it's your user. But the server knows better. There still won't be a party on the screen, and you can't update the Parties collection to change that party information.
事实上,设置完全安全客户端用户ID到你想要的任何东西!您可以直接进入帐户系统并致电 Meteor.default_connection.setUserId(aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee); 。试试吧,你会看到右上角的登录按钮变成动画。那是因为客户端正在调用 Meteor.user()来显示您刚刚设置的登录用户的电子邮件地址。但是因为您没有以该用户身份登录服务器,所以它不会发布有关该用户的任何信息,而您只是获得了spinny。
In fact, it's completely safe to set the client user ID to anything you want! You can reach right into the accounts system and call Meteor.default_connection.setUserId("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee");. Try it, and you'll see that the login button in the upper right corner turns into an animation. That's because the client is calling Meteor.user() to show the email address of the logged in user you just set. But because you haven't logged into the server as that user, it's not publishing any information about that user and you just get the spinny.
这是一个非常强大的安全模型。您不必担心任何客户端代码,即使在大多数代码所在的大多数应用程序中都存在!只要您编写安全服务器方法,发布函数和允许/拒绝规则,无论客户端尝试做什么,您都会被完全锁定。
This is a very strong security model. You don't have to worry about any of the client code, even though in most apps that's where most of the code lives! As long as you write secure server methods, publish functions, and allow/deny rules, you're completely locked down no matter what the client tries to do.
这篇关于Meteor.userId是可变的的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
