流星的安全方法 [英] Safe Methods in Meteor

问题描述

我正在使用Meteor开发消息应用程序.出于安全原因，我禁用了从客户端调用的所有插入/更新/删除操作.现在插入消息的唯一方法是使用方法".

I'm working on a messaging app using Meteor. I disabled any insert/update/remove called from the client for security reasons. The only way to insert messages now is by using Methods.

Meteor.methods({
  sendMessage: function (text) {
    Messages.insert({ userId: Meteor.userId(), roomId: Rooms.findOne()._id, name: Meteor.users.find(Meteor.userId()).fetch()[0].profile.name , message: text });
  }
});

这种方法仅询问消息的内容，因此用户无法使用其他名称调用该方法或尝试将同一消息发送到其他聊天室.

This approach asks only for the content of the message, so there's no way for a user to call the method using other name or try to send the same message to other Chat Rooms.

我是使用Meteor的初学者，所以我想知道，在服务器上运行的真实方法(而不是Stub)不会从userId和roomId获得不同的值吗?服务器上的Rooms.findOne()._ id可以是数据库上的任何随机会议室文档，也可以是任何用户的userId.

I'm a beginner using Meteor so I wonder, wouldn't the real method (not the Stub) which is run on the server get different values from userId and roomId? Rooms.findOne()._id on the server could be any random room document on the db, as well as userId any user.

如果是这种情况，我将不得不在函数上包括额外的参数，这将使其安全性大大降低.

If this is the case I would have to include extra parameters on the function which would make it much less secure.

我可能对这里的方法不了解.

I'm probably not understanding about Methods here.

推荐答案

您处在正确的轨道上.在服务器上使用Rooms.findOne()当然是没有意义的，并且坦率地说，在客户端上也不是那么好(如果您发布多于一个房间的信息，这将被破坏).您需要将消息和房间ID都传递给您的方法.该方法应验证插入是否有意义.例如，此用户当前在房间里吗?假设在room.members中进行了跟踪，则可以按以下方式实现sendMessage:

You are on the right track. Using Rooms.findOne() certainly doesn't make sense on the server, and frankly isn't that good on the client either (if you ever publish more that one room this will break). You need to pass both the message and the room id to your method. The method should validate that the insert makes sense. For example, is this user currently in the room. Assuming that's tracked in room.members, sendMessage could be implemented as follows:

Meteor.methods({
  sendMessage: function(message, roomId) {
    check(message, String);
    check(roomId, String);

    if (!this.user)
      throw new Meteor.Error(401, 'You must be logged in.');

    if (_.isEmpty(message))
      throw new Meteor.Error(403, 'Message must not be empty.');

    var room = Rooms.findOne(roomId);

    if (!room)
      throw new Meteor.Error(404, 'Room not found.');

    if (!_.contains(room.members, this.userId))
      throw new Meteor.Error(403, 'You are not in the room.');

    var name = Meteor.user().profile.name;

    return Messages.insert({
      userId: this.userId,
      roomId: roomId,
      name: name,
      message: message
    });
  }
});

并非所有这些检查都是必要的，但是此示例应使您对一种方法可以提供的丰富的验证集合有所了解.

Not all of these checks may be necessary, but this example should give you an idea of the rich set of validations that a method can provide.

这篇关于流星的安全方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！