TechQA.

Validate Subscription/Methods Origin

92 views Asked by At

I used the DDP tool against crater.io using the command:

ddp --host crater.io --port 80 subscribe postsList 10

I'm connect to DDP from my terminal, so it's really to crawl the entire website. I can easily build an API and suck data in real-time. I'm subscribing to postLists outside the browser, the place where it's supposed to be subscribed from. If a subscription takes place outside the browser, I want to block it!

If the subscription uses this.userId to check for login is ok but a website like crater.io doesn't ask a login to show you the most recent posts, It makes no sense to ask for a login for some subscriptions.

We're offering competitors free real-time updates of our database.

This makes crawling a much easier task and you get real-time updates for free. How can I detect that a subscription/method is not being called from the browser that loaded the entire Meteor application?

security meteor publish-subscribe ddp
Original Q&A
2

There are 2 answers

2
Sacha On

You can't, this is basically the way Meteor was designed to work.

Besides, anything that's publicly accessible online is also inherently crawlable. So this is a bit like asking how you can publish a page online, but prevent people from downloading its content with curl.

0
rogeriojlle On

try this:

Meteor.methods({
  MySecureMethod : function(){
    if(this.connection.clientAddress !== 'xxx.xxx.xxx.xxx'){
      throw new Meteor.Error('conexão DDP não permitida para esse host');
    }
  }
});

Related Questions in SECURITY

Related Questions in METEOR

Related Questions in PUBLISH-SUBSCRIBE

Related Questions in DDP

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions