Meteor methods and security
After watching an episode of Josh Owens Meteor Club Q&A about security I picked up some tips from guest Pete Corey about meteor methods.
Did you know that calling
Meteor.connection._methodHandlers from your console lists all available methods on the client? You can also see all your collection inserts, updates and removes from there.
A few things to consider if you write your methods in a shared location (for optimistic UI goodness):
Every method you write is going to be callable by any user. Even if you intend a method to only be called by your server code, it can be called by anyone. Even if it's in a server only location where a client can't see the definition. A client can see a call to it. The'll know it exists and they can call it themselves with whatever arguments they want.
Do not store any application secrets in methods (like API keys). Do not not hard code them in your application. That should go into your Meteor Settings. Your methods should reference that settings object.
The only reason to hide method bodies is if there is some kind of business secret in it. Specific logic to your business that you see some value in that you don't want other people in your industry to see. You could always seperate out your client and server methods.
Never trust user input. Make sure it is what you're expecting it to be. Always check your methods arguments.