我可以避免向未登录的客户提供所有js吗？ [英] Can I avoid serving all js to clients not logged in?

问题描述

在构建Meteor应用程序时，是否可以不向客户端提供/加载所有生成的javascript，直到用户通过身份验证？

When building a Meteor app, is it possible to NOT serve/load all generated javascript to the client, until the user is authenticated?

如果我愿意的话没有人能看到我的模板，模特，助手等...

I would be happier if not anybody could see my templates, models, helpers etc...

澄清：

这不是关于推杆/ pub下的东西，或者使用pub / sub做正确的事情。

它不会向未经身份验证的用户发送超过必要的内容，不是因为它存在安全风险，而只是为了尽可能隐藏来自世界。

Clarification:
This is not about putting stuff under /server, or doing the right thing with pub/sub.
It is about not sending more than necessary to unauthenticated users, not because it is a security risk, but simply to hide as much as possible from the world.

推荐答案

我很确定此时不可能在Meteor应用程序中有选择地加载脚本。一个例外是您可以通过将任何敏感代码放在 / server 目录（不会发送到客户端）并将数据锁定为@Patrick Coffey来保护它们建议（也使用Meteor 方法 s）。如果这样做，您不必向客户端透露完整的模型架构，身份验证规则或敏感算法，并且您可以严格控制客户端可以看到哪些记录甚至记录字段。它运行良好，您可以通过开放式API来选择所需的便利性/性能水平与安全性。

I'm pretty sure it's not possible to selectively load scripts within a Meteor app at this time. The one exception is that you can protect any sensitive code by putting it in the /server directory (which does not get sent to the client) and lock down data as @Patrick Coffey suggested (also making use of Meteor methods). If you do this, you don't have to reveal your full model schema, authentication rules, or sensitive algorithms to the client, and you can tightly control which records and even fields of records are visible to the client. It works well, and you can choose the level of convenience/performance vs. security you want by how open-ended you make your API.

如果你的模板和助手是敏感的，你必须等到引入服务器端渲染（它在路线图上或者在没有Meteor帮助的情况下制作你自己的解决方案，但我认为可能有理由让我们看得更深一些在这个问题上。您担心的前提似乎是，经过身份验证的用户将比不经过身份验证的用户更加值得信赖，但在大多数情况下（甚至在公司内部），有可能存在不值得信任的用户 - 或者帐户用户被黑客入侵 - 这些人总是可以访问您发送到浏览器的任何内容。因此，从这个角度来看，确保不将重要机密放在模板或客户端代码中是有道理的。但是，对于大多数应用程序而言，模板和帮助程序不会敏感，如果您设置好服务器，被黑客入侵的模板将无法访问普通模板无法访问的任何内容。

If your templates and helpers are sensitive, you'll have to wait until server-side rendering is introduced (it's on the roadmap) or cook up your own solution without Meteor's help, but I think there may be a reason to look a little deeper at the question. The premise of your concern appears to be that authenticated users will somehow be more trustworthy than non-authenticated users, but in most situations (even inside a company), there is a likelihood of there being users that are also untrustworthy – or users whose accounts get hacked - and these people will always have access to anything you send to the browser. So from that perspective, it makes sense to be sure you don't put important secrets in templates or client-side code regardless. For most apps, though, templates and helpers will not be sensitive, and if you set up your server well, hacked templates won't be able to access anything that normal templates can't.

这篇关于我可以避免向未登录的客户提供所有js吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！