Written by Pete Corey on Apr 15, 2015.

When using Meteor methods, a surprising amount of information can be passed down to the client. Let’s considering the following method definitions:

Meteor.methods({
    sharedMethod: function() {
        console.log('This is a shared method.');
        if (Meteor.isServer) {
            console.log('This is behind a server guard.');
            Meteor.call('serverMethod');
        }
    }
});

if (Meteor.isServer) {
    Meteor.methods({
        serverMethod: function() {
            console.log('This is a server method.');
        }
    });
    Meteor.methods({
        hiddenMethod: function() {
            console.log('This is a hidden method.');
        }
    });
}

With these methods set up, open your browser’s console and take a look at the method handlers exposed to the client:

Meteor.connection._methodHandlers

Along with a few others, you’ll see the handler for sharedMethod. You won’t see serverMethod or hiddenMethod because both of these methods were defined entirely behind a server guard.

Take a look at the source of sharedMethod:

Meteor.connection._methodHandlers.sharedMethod.toString();

You’ll notice that you can see all of the method’s contents, including any permission checks and validation that may or may not be taking place. You can see the call to serverMethod! It’s important to realize that unless you’re being careful, even server guarded blocks will be passed down to the client within client visible method handlers.

All methods can be called from the client, even methods that the client should have no knowledge of:

Meteor.call(‘sharedMethod’, ...);
Meteor.call(‘serverMethod’, ...);
Meteor.call(‘hiddenMethod’, ...);

It’s not enough to try to hide your methods on your server. Always be sure to do proper validation, sanitation and authentication before taking any action in a method.

I highly recommend taking a look at Sacha Greif’s three part latency compensation series (An Introduction to Latency Compensation, Advanced Latency Compensation, and Two-Tiered Methods) over at Discover Meteor to better understand how to use and protect your Meteor methods.