Verify createdBy userID in Meteor

Question

How can I prevent spoofing of userIDs when creating a document using Meteor and the user-accounts package by verifying the user making the request on the server side?

Here, I add userID to the createdBy field of my workouts entity, but wouldn't a malicious actor be able to choose whatever userID he or she wants?

In lib/collections/workouts.js

Workouts = new Mongo.Collection('workouts');

// Workouts Schema
Workouts.attachSchema(new SimpleSchema({
  name: {
    type: String,
    label: 'Name',
    max: 100,
    optional: true
  },
  date: {
    type: new Date(),
    label: 'Date'
  },
  feeling: {
    type: Number,
    label: 'Feeling',
    min: 0,
    max: 5,
    decimal: false
  },
  notes: {
    type: String,
    label: 'Notes',
    optional: true
  },
  // Arrays of IDs should be prefixed with a '_'
  _sets: {
    type: [String],
    label: 'Sets',
    optional: true
  }
}));

// Helpers
Workouts.helpers({
  sets: function() {
    return Sets.find({ _id: { $in: this._sets } });
  }
});

// Hooks
Workouts.before.insert(function(userId, doc) {
  doc.createdBy = userId;
});

// Allow server-side publishing
if (Meteor.isServer) {
  Workouts.allow({
    insert: function (userId, doc) {
      return true;
    },

    update: function (userId, doc, fieldNames, modifier) {
      return true;
    },

    remove: function (userId, doc) {
      return true;
    }
  });
}

In client/templates/workouts/create_workout/create_workout.html

ateWorkout">
  <h1>Create Workout</h1>
    {{# autoForm collection="Workouts" doc=this id="editWorkoutForm" type="insert"}}
      {{> afQuickField name="name"}}
      {{> afQuickField name="date"}}
      {{> afQuickField name="feeling"}}
      {{> afQuickField name="notes" rows=5}}
      <button type="create" class="btn btn-primary">Insert</button>
    {{/autoForm}}
</template>

I'm using the following packages:

accounts-password           1.1.4  Password support for accounts
aldeed:autoform             5.8.1  Easily create forms with automatic insert ...
aldeed:collection2          2.8.0  Automatic validation of insert and update ...
aldeed:delete-button        2.0.0  Provides a delete button UI component
aldeed:simple-schema        1.5.3  A simple schema validation object with rea...
blaze-html-templates        1.0.1  Compile HTML templates into reactive UI wi...
dburles:collection-helpers  1.0.4  Transform your collections with helpers th...
ecmascript                  0.1.6* Compiler plugin that supports ES2015+ in a...
es5-shim                    4.1.14  Shims and polyfills to improve ECMAScript...
iron:router                 1.0.12  Routing specifically designed for Meteor
jquery                      1.11.4  Manipulate the DOM using CSS selectors
matb33:collection-hooks     0.8.1  Extends Mongo.Collection with before/after...
meteor-base                 1.0.1  Packages that every Meteor app needs
mobile-experience           1.0.1  Packages for a great mobile user experience
mongo                       1.1.3  Adaptor for using MongoDB and Minimongo ov...
session                     1.1.1  Session variable
standard-minifiers          1.0.2  Standard minifiers used with Meteor apps b...
tracker                     1.0.9  Dependency tracker to allow reactive callb...
twbs:bootstrap              3.3.6  The most popular front-end framework for d...

Answer 1

Instead of using hooks, you can use the autoValue feature of simple-schema. your code snippet will be something like this.

createdBy: {
    type: String,
    autoValue: function () {
        return Meteor.userId();
    },
    denyUpdate: true,
    optional: true
}