-
Notifications
You must be signed in to change notification settings - Fork 265
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issue. Exposing all model to client #47
Comments
This is something being actively developed. There will be a way to authorize model paths very soon, which should allow you to prevent this type of thing. |
Guys! You don't have server-client logic separation. To be exact, you have some client only logic, but don't have server-only. Please, let's consider other problems that I describe here. 1I can't have any private things in app code. For example FB app token and secret. It all gets exposed to client which I don't want. Solution app.js
app.server.js
2Model needs to be able to store server only variables Solution 3I can run on client side My temporary solution Solution 4If I have in route Solution ConclusionI use derby without any realtime cross-user racer functionality. And I use custom racer-db-driver that talks to our python written api. Every user gets unhackable data like In this case I can even use |
More possibilities #1 server(function() { and it got replaced with: server() by some browserify/asset processor agreed. I think this would be hard to do without memory leaking. On Mon, Apr 30, 2012 at 5:10 PM, rma4ok <
|
Yeah, you are right about #4. Please let me know what do you think about my updated conclusion |
#1 Also it needs ability to do |
I think you can do module = require "" + 'module' and it won't get browserified On Mon, Apr 30, 2012 at 6:13 PM, rma4ok <
|
How about |
A little for insight on what they are thinking for AuthZ: On 5/31/2012 3:08 PM, Nate Smith wrote:
|
First version of access control is now in. Needs more documentation and examples, but here is readme: https://github.com/codeparty/racer/blob/master/src/accessControl/README.md |
That's a dead link, here is the new link: https://github.com/codeparty/racer/blob/master/lib/accessControl/README.md |
the new link is dead again :) |
Any new movement here? I am moving away from Meteor and need a solid auth solution. |
Are there any examples as to how to use this? The Meteor accounts-password package exposes a users collection. In some of the examples for Derby I see reference to users only as stored sessions. No passwords. They are only used to differentiate one browser session from another. racer-access seems to be akin to the Roles package from Meteor. So perhaps my question should have been is there a user authentication package and some sort of authorization package available? I apologize for the Meteor references, but it's the experiences I have to draw from for node based frameworks. |
You're asking about authentication. Derby does not include an authentication system. Use https://github.com/lefnire/derby-auth (0.5 branch) |
the examples do not work |
Problem
1
Let's look at chat example
2
If I set breakpoint on line 45 in browser (I mean equal line in compiled js)
3
I can do
window.model = model
in consoleAnd continue script execution
4
In console
5
Name of every user is
lolz
P.S.
Even in production environment, when js is uglified. I can do code reformat in chrome and put a breakpoint on function that has closure for model variable. And make that function happen. Like
Where
a
is the modelI catch that breakpoint when I post a new message
The text was updated successfully, but these errors were encountered: