meteor flow-router placement/security - meteor

i have a question regarding flow router on meteor.
in the new project structure for meteor, all files are suggested to be kept in the "imports folder" and be imported to either the server folder or client folder. in the tutorials i have seen that use flow router, there was no imports folder and the routes folder with the js file in it was kept right under the project folder. that raises a few questions for me.
where does the flow router code run? on the client? on the server? on both?
if it runs on both, should i leave it outside the imports folder?
if it runs on both/only on the client, what does that mean security-wise? say i don't want a certain user to be able to access a certain page, so in the flow-router action() i write a code that prevents people from reaching where i don't want them, can't they just change this code on the client and bypass the wall?
when referring to a user on the flow-router js file, do i use Meteor.userId() or this.userId?.
i have three functions written inside if(Meteor.isClient) which i copied from a tutorial. the functions are Accounts.onLogin, Accounts.onLogout, FlowRouter.tringgers.enter.
can a user hack through them since they are on the client?
thanks in advance!

From the documentation:
Flow Router is a client side router and it does not have Server Side Routing capability. It has no plans to implement such features either.
so Flow Router runs on the client only and you should put the related code in /imports/startup/client
See (1). Generally, all your code should be placed in the imports directory.
Meteor ensures that any file in any directory named server/ will only be available on the server, and likewise for files in any directory named client/
So if you want to have some code accessible to both the client and the server don't place it in any subdirectories named /client or /server.
Although previously, with Iron Router, authentication was done in the router layer, with Flow Router you should write the auth logic in the template/component layer. Writing code in the flow router action() that prevents users from accessing a page is not a good pattern, according to the creator of Flow Router. Read here for examples and more details.
In server-rendered apps(in the PHP era), if there is an unauthorized access, we can redirect the user to a login page or some other page. In Meteor, or in any single-page app, we can simply show a login screen to the user instead of redirecting them to another page. Or else, we can simply say: "You are not allowed to view this page."
Same as in (3). You shouldn't refer to a user in the router layer.
Any code that runs on the client is not safe from a malicious user.
You may find the following useful:
Meteor guide application structure
Routing Guide for Meteor Apps (with Flow Router)
The example app "Todos", written following the Meteor Guide

Related

What are valid page names in Next.js? And how does it distinguish between pages and static resources?

I'm new to Next.js and am trying to get my head around client side and server side routing and what files need to be made available to download when Next.js is configured to use server-side rendering.
When I do a production build of a Next.js project, a .next directory is created (details here). When I call next start and then load a page that uses SSR (by defining getServerSideProps()) then I can see in the developer console that the page that I load downloads resources that are prefixed _next (e.g. <script src="/_next/static/chunks/main-3123a443c688934f.js" defer=""></script>).
Can someone confirm whether the .next directory contents (.next/server/**, .next/static/**) are just made available on the server by being renamed to _next?
I tried creating a new page in a file called _next.js as an experiment. The project builds correctly (no errors reported and there are build artifacts created with the same naming convention as the other pages). However, when I try to load that page, I get a 404.
Are there restrictions on what constitutes a validly named page in Next.js? If so, what are they and where is this defined.
How does the Next.js server know what is a static resource that should just be given to the client and what is a page for which Next.js should render an output? Is it simply an algorithm like "if the path starts _next/ then return what is requested, otherwise render?"
How does Next.js know to distinguish between resources that are in the public directory and pages? e.g. if there's a collision between the name of a page and a resource in the public folder, how does the server know what to return to the user?

angular routing to old asp.net app on the same server

So the url for my angular web app is https://devnet/appName/ and when I click a button I want it to go to http://devnet.some.org/appName/page.aspx. now here's the part I need help with, the angular web app is on devnet, testnet and (you guess it) prodnet. depending upon which server the angular app is running from is where I want it to go and find the old app.
https://devnet/appName/route ->
http://devnet.some.org/appName/page.aspx
https://testnet/appName/route ->
http://testnet.some.org/appName/page.aspx
https://prodnet/appName/route ->
http://prodnet.some.org/appName/page.aspx
Notice the change in protocol, the servers are the same as is the appName, but the route and page.aspx will be different.
And yes this is a temporary thing until the angular app is completely complete
The best approach from my POV is to use environments, e.g.:
environment.ts // current one
environment.dev.ts
environment.test.ts
environment.prod.ts
Add corresponding configurations in angular.json (propagate "production" configuration).
Add oldUrl to the environment interface and provide different values for each particular environment.
Import environment to the component where you the redirect button is used and use environment.oldUrl property to construct a proper redirect URL.

Meteor : Access to my public/lib from server

According to the Meteor Doc, the public fodler is accessible for both server and client. But, if I just need to use the HTML head elements to access it, how can I do it from server ?
I made a lib with very specific functions, and I'm tired of copy pasting them at the top of each of my server .js file.
Could anyone give me the tip ? I couldn't find out on google :/
Thanks you,
David
You are making your life harder than necessary. Any folder that is not called client, server, private, or public is shared by the client and the server. Just put your shared .js files into any folder, say, /common, and they will be available (loaded) on both the client and the server.
The public folder is specifically for assets that are not loaded automatically by the server, but are instead served statically over HTTP, similar to the static functionality of express. It's the place for images and other assets you want on the client.

Meteor proxy file to browser

I have a file at an external URL (which only the server meteor is running on can access)
http://192.168.9.39/account_5.pdf
I want to serve this up in meteor so that a user can click a link to e.g http://server.meteor.com/temp/account_5.pdf
Is there a way I can do this? Perhaps stream it directly to the user or download the file to the /public/temp folder so that it can be served up? How would I do this?
I'm open to any suggestions even if it uses up a node module or something
Are you running your own Meteor server, or do you actually want to deploy to *.meteor.com? (You said "server.meteor.com", so I was wondering).
From node you could use http.get to retrieve the remote file and then use fs.writeFile to save it to your temp/ directory.
Or you could stream it like you suggested using something like http://www.catonmat.net/http-proxy-in-nodejs/
If you're running your own server, probably the easiest thing would be to package up this code in a small npm module. Node's require is exposed to Meteor code in __meteor_bootstrap__.require, so to trigger fetching the remote file you could do something like __meteor_bootstrap__.require('my-npm-module').fetchFileToTemp(name).
For the streaming option, __meteor_bootstrap__.app is Meteor's connect server, which you can attach your own requests handlers to via
__meteor_bootstrap__.app(function (req, res, next) { ... });
in the usual way for connect middleware.
If you drop the pdf in your /public folder and deploy, users can just click http://server.meteor.com/account_5.pdf to access the pdf.
Is this what you're expecting? Hope that's helpful.
This is a little hackish, but you could make a route (with Meteor Router) that responds to /temp/* and put an iframe in those pages that loads the remote URL. It won't be elegant, but it will work! In case you need this done quick.
Or you could do a cross-origin XHR request and go fetch the file that way, which is probably more Meteor-ish. But I'd have to look that one up. ;-)

HTTP auth and Flex

I have a small query. I wrote a Flex Application with PHP remoting using ZendAMF. i also made and auth system. User provides credentials and i pass them to my gateway where i have a service registered to query a SQL db and verify if the user is registered or not. Thats working perfectly. In my application i am loading MRTG graphs (PNG Files) into Image component. The GRAPHS are inside my Document Root. They are also loading well. Problem is if i type the URL path to the png file i can see it directly without any authentication. to cater that i added htaccess file to MRTG folder inside my document root. Know when i view the images inside my Flex App it asks for HTTP username and password. which i dont want.
In simple words . MRTG PNG's are inside my document root
Can i move them out of document root and still have my Flex App access them ( i tried and failed with that)
I just want the user to be able to view MRTG pngs and not directly from URL.
If you are using ZendAMF, why don't you just create a service method on your service that provides you with those images?
That way you have full control over what happens.
For example you could send them through as a byte array or a base64 encoded string, making it a lot harder to define where the image is actually stored on server disk.
Cheers

Resources