Meteor.js - Template Permissions - meteor

This has been asked in similar forms here and here but it seems pretty important, and the framework is under rapid development, so I'm going to raise it again:
Assuming your login page needs to face the public internet, how do you prevent Meteor from sending all of the authenticated user templates to a non-authenticated client?
Example use case: You have some really unique analytics / performance indicators that you want to keep secret. You've built templates to visualize each one. Simply by visiting the login page, Meteor will send any rando the templates which, even unpopulated, disclose a ton of proprietary information.
I've seen two suggestions:
Break admin into a separate app. This doesn't address the issue assuming admin login faces the public internet, unless I'm missing something.
Put the templates in the public folder or equivalent and load them dynamically. This doesn't help either, since the file names will be visible from other templates which will be sent to the client.
The only thing I can think of is to store the template strings in the server folder and have the client call a Meteor.method after login to retrieve and render them. And if you want them to behave like normal client templates, you'd have to muck around with the internal API (e.g., Meteor._def_template).
Is there any more elegant way to do this?

I asked a similar question here:
Segmented Meteor App(s) - loading only half the client or two apps sharing a database
Seems to be a common concern, and I certainly think it's something that should be addressed sometime.
Until then, I'm planning on making a smaller "public" app and sharing the DB with an admin app (possibly in Meteor, possibly in something else, depending on size/data for my admin)

These 2 packages try to address this issue:
https://atmospherejs.com/numtel/publicsources
https://atmospherejs.com/numtel/privatesources
It uses an iron-router plug-in to load your specific files on every route.
The main drawback I see here is that you must change your app structure, as the protected files need to be stored in /public or /private folder.
Also you are supposed to use iron-router.

Related

How to protect static files with authentication in Meteor?

I am building a very simple Meteor app with the following situation: there are some static files in the backend (images, audio, video) that I need to include in my page, but I only want authenticated users to be able to access them. How can I do this?
I suspect I might be able to do this using routers but I haven't managed to get that running using the official documentation (or any other resource for that matter). If somebody could point me in the right direction I would be thankful.
It depends on how secure you needed.
You may want to just hide/show the link then you can put those files in public folder and add some logic to the front-end to show/hide the files based on user's authentication state.
If you need it more secure then you you need to put those files behide APIs. You can use DDP apis (Meteor method or pub/sub) or you may use webapp to create api.
There are mainly 2 ways to do it:
obfuscate source urls
Only show to signed in users.
a) meteor-files: https://github.com/veliovgroup/Meteor-Files for overall file security.
b) CDN signed urls: root url remains the same but it requires a signature for every download/view. You can look at things like Instagram, FB etc.
Put images in pages on routes for only logged in users. If delivered from CDN, add policies to match your referrer/origin to disallow embedding of your images on other websites.

Is it possible to keep data cached between user visits

I have a collection of 15k+ objects(database) that I want to send to the client(an application). This can take up to 30sec to sync.
I would like a way to keep cache between user visits so I only need to sync the difference since my last visit.
It would be also nice to be able to share that local cache between browser tabs.
In theory I don't see why it would be hard to do so, but I am uncertain how to do it.
*As pointed out by #zeroasterisk it is a database cache I am looking for, not simply static files.
Have you looked at the smart package "appcache" ?
code: https://github.com/awwx/meteor-appcache
info: http://docs.meteor.com/#appcache
more: https://github.com/meteor/meteor/wiki/AppCache
The appcache package stores the static parts of a Meteor application (the client side Javascript, HTML, CSS, and images) in the browser's application cache. To enable caching simply add the appcache package to your project.
It doesn't currently support data in collections, which is what I think you were asking about, but it might be something you could extend. If I mis-understood the question and you just need to store static objects (JS files, etc) this will work great.
more on this here: Can Meteor's Appcache also store database data?
note: it is disabled by default in FF because of user prompts...

Make ASP.Net (C#) Web App Available Offline

I have been tasked with making my company's Web App available offline. Before I move to the actual development phase, I want to be sure that my current strategy will not turn out to be a bust.
I first thought about using html5 app cache but after doing some tests I found that it seems to not cache the server side operations but the actual html that is rendered (Please correct me if I'm wrong). This will not work because the rendered html depends upon who is currently logged in. From my tests, it always rendered the html as if the last person that logged in (online) is logging in.
My current strategy is this:
I cache only the login page and an offline (.html) page to correspond to each aspx page that will need to be available offline. Every successful login (online) results in creating or updating Web SQL Database or IndexDB (depending on browser) with all data needed for that person to operate offline including a table that will be used for login credentials. In this way the only requirement for logging in offline is logging in with your login credentials at least one time.
My concern is that I am overcomplicating it. In order to make this work, I will need to create an html page for each current page (a lot of pages) and I will have to rewrite everything that is currently being done on the server in JavaScript including validation, database calls, populating controls such as dropdown lists and data grids, etc. Also everything that I change in the future will require a subsequent offline change.
Is there an established best practice for what I am trying to do that I am overlooking or am I venturing into new ground?
Please refer to these links, which gives you some insight on what is to be achieved. I'm not sure these are best practices, but these will be good starting point.
http://www.c-sharpcorner.com/UploadFile/aravindbenator/offline-mvc3-application/
http://www.developerfusion.com/article/84438/isolated-storage/

Creating DNN Portal through Code (or programming)?

I have one portal with 3 modules inside it, now my requirement is i would like to create
new portal for every client registered in my DNN site.
So, i have one interface for registration, so as soon as client registers entirely new parent portal should be created with all the modules.
How can i achieve this functionality ???
I would suggest digging into the admin files that come as part of the default DNN installation and look for the code that creates a new portal from there. It will ultimately be calling a stored procedure to create the necessary data in the SQL tables. You might get away with just calling the stored procs but the admin code probably calls several different ones to setup the default security settings.
Curiously what alias will each of these portals use? It's not clear why you need a complete portal for each user. The DNN segmentation already allows you to show different content based on role membership. Why the need for a whole portal per user?
Use the site wizard to create template of the current portal and during client registration programmatically execute the template. You may also want to automate the site setup in IIS.
Well, You can easily do it! Login to host and go to portals. Click on create new protal.
See which control is responsible for creating new portal. you can simaply get it by using firebug and look into client id of link or text box.
Once you do that, you will find the code you can use.
tell me if you need more help with it, I'm good with what you want to do!

What are some ways to support multiple websites with a single code base?

I'm writing a pretty straight forward ASP.NET MVC web app: only a couple of CRUD pages, some folders where clients can browse documents and just 3 or 4 roles. The website will be used in a B2B scenario, where every client will have their "own" website.
At this point, the only thing that will change in the website, from client to client is the content (ie. the documents, and the rows of data they'll see). If this is the case, what's the best way to manage roles across all of my clients? I'm looking for the simplest possible solution because this is a proof of concept and I don't want to invest a lot of time right now.
What if it's not just the content that changes? Maybe some clients will want a few custom static pages. At this point, is my only option replicating the entire website? I'm leery of this because it'll become hard to maintain if I get a lot of clients.
I'd appreciate any help... I just don't want to shoot myself in the foot; I'm sure someone has done this before.
I create Virtual Directories in IIS for each client, all pointed back to the same folder where my ASP.NET code resides.
This allows me to support several dozen nearly-identical "web sites," each with their own database that is basically identical in form, only differs in data.
So, my site URLs look like:
http://mysite.com/clientacme/
http://mysite.com/clientbill/
http://mysite.com/clientcharlie/
There are two key implementation details I worked out for this:
I use the Virtual Directory folder name to determine which DSN my code reads from. This is accomplished by creating a simple static method that injects the folder name into a DSN string template. If you want to use the same database to store everyone's data, you can use the folder name as a default filter in your queries.
I store the settings for each web site (headers and footers, options, links to custom reports, etc.) in a simple "settings" table in each database (key, value) rather than in the web.config (which is shared). This allows me to extend the code base over time to customize the experience for each client without forking the code.
For user authentication, I use Basic authentication, and I keep usernames, passwords, and roles in a table in each database.
The important thing is that if you use different SQL Server databases for each client's content, you need to script any changes to your database tables, indexes, etc. and apply them across all databases at the same time (after testing of course). One simple way to do this is to maintain an Excel sheet with a table of database names and a big "SQL" cell at the top. Beside each database name, create a formula to "USE databasename;" and then concat the SQL code at the top.
I'm not sure if this answers your question completely, but as far as maintaining custom "static" pages I found myself implementing a system on a client's MVC website where the client can create "Pages" from their admin control panel and each Page has a collection of "PageContent" entities which consist of a Title and and HTML content field (populated using a WYISWYG editor). Upon creating a page the MVC application maps http://yoursite.com/Page/Page-Url-Specified-By-The-User to that page and renders its content there. Obviously, the pages are dynamic, but as far as the client can tell they have created a brand new custom page with little or no effort.

Resources