Meteor's security model allows app developer to validate any operation or RPC going through, based on the arguments or userId (by writing JS code). Also, the published set is controlled by publications, allowing to publish only filtered out data with specific fields.
Unlike Firebase, Meteor actually allows you to send "first top 20 guest posts from November" as an example. The filtering can happen on the server, before sending the data and the data model usually fits into a sets of documents in set of collections. In Firebase, everything is part of a big subtree that is not filterable (the last time I checked).
Firebase is a good choice for keeping your real-time data. But knowing its limitations is as important as knowing its strengths.
Hey there, I'm Joey, a Firebase dev — last November, we shipped advanced querying support[0] to address this! You can now use orderByChild(), orderByKey() or orderByPriority() to build a query.
We also have limitToFirst(), limitToLast(), startAt(), endAt(), and equalTo() methods to further filter your data.
This is great! I didn't doubt that Firebase will roll out features to paginate and sort data. I also don't doubt that Firebase will implement filtering in the future. Great work.
What you're saying is only true on a barebones default Meteor app. Please don't comment on a tool if you've never used it for anything other than a hello world, you're doing a very sophisticated tool a huge disservice.
You remove the autopublish package and you can no longer query records from the client.
I disagreed, in OWASP: It is important to understand that by no means does “Secure Defaults” mean turning off all possible network applications or sockets and services. And neither do Secure Defaults mean a 100% secure environment. But, they should ensure the least number of possible loopholes and fewer drawbacks.
Likewise, no matter what languages, majority are insecure by defaults.
What other tech stack allows you to publicly query the application data source by default? I think it's fair to say that shouldn't be possible and I'd be hard pressed to believe that OWASP would disagree with that.
A lot of software engineers are wary of frameworks/tools with an emphasize on ease-of-use over security, or benchmarking over data integrity. Rightly so in my opinion.
It leaves a "I should triple check everything again before going live since I cannot trust the tool to do its job" thread running permanently in the back of the mind. It's such a slowdown. Don't get me wrong, it's important to read the documentation and double check settings, but insanity by default does not build trust.
That said in the case of meteor beyond the autopublish package that should be off by default, I think everything is spot on. I mostly use PostgreSQL, so I cannot use it as much as I'd like to, but hopefully that will change.
I agree with what you're saying, but a lot of people make it look like Meteor allows XSS and SQL Injection by default. You really only need to remove autopublish from the get go right after meteor create foobar and you begin with a secure app.
In OWASP:
It is important to understand that by no means does “Secure Defaults” mean turning off all possible network applications or sockets and services. And neither do Secure Defaults mean a 100% secure environment. But, they should ensure the least number of possible loopholes and fewer drawbacks.
One of the things I like about rails (and ember-cli) is that it is "secure-by-default". If I am going to make a choice that potentially has security vulnerabilities, I have to deliberately make that choice - I basically have to create a whitelist of things I want to allow.
There's no need to be rude. How many people are going to not know that, or forget? Meteor is highly tailored towards beginners. Additionally, Mongo's out-of-the-box security policies are extremely lax as well, and unsecured Mongo instances in the wild are a huge problem.
> "Everything is ease-of-use optimized, to the point that you can query Mongo via the browser console."
meteor remove autopublish
meteor remove insecure
The Mongo-accessible frontent is genius. This makes your prototyping much faster, and you can totally skip the "model" layer of your frontend. It matches your backend automatically. No further configuration needed. No REST endpoints, no callbacks. And yes, it's secure.
Meteor's security model is very well-designed. The list of things left for the developer to do, security-wise, is very short.
It's still important to learn your tools and understand how security works.
My preferred "easy/simple" model of app design is Firebase (backend and JS lib for pure web clients), who have security figured out.