Meteor.userId 是可变的 [英] Meteor.userId is changeable
问题描述
尝试使用 Meteor,我发现即使删除了不安全的包,客户端也可以更改 Meteor.userId 函数.例如,
Playing around with Meteor, I have found that even with the insecure package removed, the client can change the Meteor.userId function. For example,
Meteor.userId=function() {return "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"}
可以使用 Meteor.default_connection.userId()(重定向函数)来完成.我如何确保这一点?
as can be done with Meteor.default_connection.userId() (the redirected function). How do I secure this?
推荐答案
这是一个很好的问题,因为它展示了 Meteor 安全模型的工作原理.
This is a great question because it shows how the Meteor security model works.
这里没有安全问题,因为 Meteor 从不信任客户端代码.
There's no security issue here because Meteor never trusts the client code.
在 Meteor 中,只有服务器决定每个客户端可以访问哪些数据(参见 Meteor.publish) 以及允许每个客户端更改哪些数据(请参阅 Meteor.allow).当客户端向服务器进行身份验证时,服务器会存储用户的 ID.在该客户端注销之前,它会将该 ID 作为 userId 提供给您在服务器上的 Meteor.publish 和 Meteor.allow 函数.
In Meteor, only the server decides what data each client has access to (see Meteor.publish) and what data each client is allowed to change (see Meteor.allow). When a client authenticates to the server, the server stores the user's ID. Until that client logs out, it provides that ID to your Meteor.publish and Meteor.allow functions on the server as userId.
Meteor 还会将用户 ID 发送到客户端,因为您当然希望根据登录者更改客户端的行为方式以及屏幕上显示的内容.正如您所说,我们无法阻止流氓客户端从任意更改其任何 JavaScript 代码到更改它认为的用户 ID!但是这样做并没有给客户端任何新的权限,因为做出安全决策的仍然只是服务器代码.
Meteor also sends the user ID down on the client, because of course you want to change how the client behaves and what's on the screen based on who is logged in. And as you say, we can't stop a rogue client from arbitrarily changing any of its JavaScript code to change what it thinks the user ID is! But doing that doesn't give the client any new permissions, because it's still only the server code that makes the security decisions.
您可以使用安全方应用程序进行尝试:
You can try this out using the secure parties application:
- 使用
$meteor create --example party 制作派对应用 - 创建一个用户帐户并双击地图以创建派对.选中此框以使其成为私人聚会.
- 打开 JavaScript 控制台并输入
Meteor.userId()以获取您的用户 ID. - 退出.该派对将从屏幕上消失,因为服务器不会将其发布给任何其他用户.
- 现在,进入控制台并使用返回所需 ID 的新函数覆盖
Meteor.userId().
- Make a parties app with
$ meteor create --example parties - Create a user account and double click on the map to create a party. Check the box to make it a private party.
- Open the JavaScript console and type
Meteor.userId()to get your user`s ID. - Log out. The party will disappear from the screen because the server won't publish it to any other user.
- Now, go into the console and overwrite
Meteor.userId()with a new function that returns the ID you want.
所以现在你已经假装客户认为它是你的用户.但是服务器知道得更好.屏幕上仍然没有派对,并且您无法更新派对集合来更改该派对信息.
So now you've faked the client to think that it's your user. But the server knows better. There still won't be a party on the screen, and you can't update the Parties collection to change that party information.
事实上,将客户端用户 ID 设置为您想要的任何内容是完全安全的!您可以直接进入帐户系统并调用 Meteor.default_connection.setUserId("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee");.试试看,你会看到右上角的登录按钮变成了动画.那是因为客户端正在调用 Meteor.user() 来显示您刚刚设置的登录用户的电子邮件地址.但是因为您还没有以该用户的身份登录服务器,所以它不会发布有关该用户的任何信息,您只会获得麻烦.
In fact, it's completely safe to set the client user ID to anything you want! You can reach right into the accounts system and call Meteor.default_connection.setUserId("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee");. Try it, and you'll see that the login button in the upper right corner turns into an animation. That's because the client is calling Meteor.user() to show the email address of the logged in user you just set. But because you haven't logged into the server as that user, it's not publishing any information about that user and you just get the spinny.
这是一个非常强大的安全模型.您不必担心任何客户端代码,即使在大多数应用程序中,大部分代码都存放在这里!只要您编写安全的服务器方法、发布函数和允许/拒绝规则,无论客户端尝试做什么,您都将被完全锁定.
This is a very strong security model. You don't have to worry about any of the client code, even though in most apps that's where most of the code lives! As long as you write secure server methods, publish functions, and allow/deny rules, you're completely locked down no matter what the client tries to do.
这篇关于Meteor.userId 是可变的的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
