Validate Subscription/Methods Origin

84 views Asked by At

I used the DDP tool against crater.io using the command:

ddp --host crater.io --port 80 subscribe postsList 10

I'm connect to DDP from my terminal, so it's really to crawl the entire website. I can easily build an API and suck data in real-time. I'm subscribing to postLists outside the browser, the place where it's supposed to be subscribed from. If a subscription takes place outside the browser, I want to block it!

If the subscription uses this.userId to check for login is ok but a website like crater.io doesn't ask a login to show you the most recent posts, It makes no sense to ask for a login for some subscriptions.

We're offering competitors free real-time updates of our database.

This makes crawling a much easier task and you get real-time updates for free. How can I detect that a subscription/method is not being called from the browser that loaded the entire Meteor application?

2

There are 2 answers

2
Sacha On

You can't, this is basically the way Meteor was designed to work.

Besides, anything that's publicly accessible online is also inherently crawlable. So this is a bit like asking how you can publish a page online, but prevent people from downloading its content with curl.

0
rogeriojlle On

try this:

Meteor.methods({
  MySecureMethod : function(){
    if(this.connection.clientAddress !== 'xxx.xxx.xxx.xxx'){
      throw new Meteor.Error('conexão DDP não permitida para esse host');
    }
  }
});