I used the DDP tool against crater.io using the command:
ddp --host crater.io --port 80 subscribe postsList 10
I'm connect to DDP from my terminal, so it's really to crawl the entire website. I can easily build an API and suck data in real-time. I'm subscribing to postLists
outside the browser, the place where it's supposed to be subscribed from. If a subscription takes place outside the browser, I want to block it!
If the subscription uses this.userId
to check for login is ok but a website like crater.io doesn't ask a login to show you the most recent posts, It makes no sense to ask for a login for some subscriptions.
We're offering competitors free real-time updates of our database.
This makes crawling a much easier task and you get real-time updates for free. How can I detect that a subscription/method is not being called from the browser that loaded the entire Meteor application?
You can't, this is basically the way Meteor was designed to work.
Besides, anything that's publicly accessible online is also inherently crawlable. So this is a bit like asking how you can publish a page online, but prevent people from downloading its content with
curl
.