
Create a web app from scratch in under 5 minutes with Meteor and Mailgun - twakefield
http://blog.mailgun.net/post/41958103075/create-a-web-app-from-scratch-in-under-5-minutes-with
======
scribu

      if(Meteor.isClient) {
        ...
      }
    
    
      if(Meteor.isServer) {
        ...
      }
    

Does the Meteor compiler somehow split those code blocks into separate files,
so that it only serves the client code to the browser?

If not, it seems like a pretty bad practice for delivering fast webapps.

Edit: In general, Meteor.isServer seems like a great way for developers to
shoot themselves in the foot:

    
    
      Dev: Let me just add my $secret in the server-side block...
      Bad guy (viewing source): Oh, what have we here?
      Dev: PWNED :(

~~~
wavesounds
"Does the Meteor compiler somehow split those code blocks into separate files,
so that it only serves the client code to the browser?"

Yes.

~~~
javajosh
Uh, actually, no. And I put together a screencast to prove it.

<http://screencast.com/t/RkImuQ9i>

------
kisielk
$ curl <https://install.meteor.com> | sh

I really wish people would stop giving instructions like this. Despite all the
focus on web security and sandboxing, we continue to instruct people to run
arbitrary code on their user account.

People should at least give any shell script they download from the internet a
cursory look to see if it's doing what it should be doing instead of blindly
executing the response from an HTTP request.

~~~
geoffschmidt
Meteor dev here.. We actually think this is more secure, or at least does more
to raise awareness about security! We want people to BE AWARE that they're
running arbitrary code, secured only by the certificate authorities in their
local curl install.

Just about every other way of installing software ends up letting the remote
run arbitrary code on your machine. The disadvantage of the other approaches
is that you don't think about it, so you feel safer than you are, and you are
more likely to make security-compromising mistakes.

\- When you download an OS X installer package and run it, it can run
arbitrary code during the install. Is that how you installed Postgres or
Rails? Hope you downloaded that disk image over http. (The last time you
downloaded a disk image, did you check the link to make sure it was https? ...
Are you sure you never forget to do that?)

\- OK, so let's say you download a tarball instead, and untar it into
/usr/local, and put meteor in your path. Then the next thing you do is.. you
type 'meteor', letting the tarball run arbitrary code. There's not much
security difference between letting the remote code run at install time, and
letting it run two seconds later when you actually start the program fo the
first time.

\- OK, let's say you downloaded a Meteor tarball, checked its SHA1-- wait, how
did you get the correct SHA1? Did you get it off our website? (Best case, over
https, bringing us back where we started?) Or did you call me on the phone..
using the phone number you got off of Facebook.. secured by https? (Best case,
and only if you manually added https to your Facebook URL. Did you remember to
do that?)

\- No problem, I'll get it out of macports, fink, or homebrew, and hopefully
they'll have the correct authoritative hash and validate the download. Well,
how do you know you have the real macports? The chain of trust still goes
through https and the CA. Arguably this is a little better because presumably
many people will notice if the macports download site is hacked, but just as
arguably, it's less secure because there's one more potential compromise point
(volunteer macport maintainers -- how are they vetted? do they use two factor
auth? what if their email account is compromised?)

There's really two separate issues here:

\- Do you trust Meteor enough to run our code? If so, you shouldn't care
whether you run curl | sh or whether you download a tarball and unpack it, and
then run the program in it. If not, you shouldn't do either. They're equally
bad.

\- Do you trust https and the certificate authorities to protect you from MITM
attacks, so that you get the authentic bits from meteor.com and not an
imitation? If so, then curl <https://foo> solves your problem. If not, you are
going to have to find something better than the CA's to serve as your root of
trust.

Maybe there is an argument for "defense in depth" -- maybe you should fetch
the tarball from one server with one CA, and the SHA1 from a second server
with a different CA -- sure, in practice that could make a compromise less
likely. But that's a bit much to ask of the random OS X user that just wants
to come to meteor.com and install the tools.

Your best option is clearly to come to the monthly DevShop events at Meteor HQ
in SF. If you come to DevShop to install Meteor, I will personally confirm the
SHA1 for you :)

~~~
grinich
But then how will he _really_ know it's you, Geoff? ;)

In all seriousness, you should consider posting a response like this in your
FAQ/Help and linking at the install tutorial. I'm really sick of this knee-
jerk security reaction happening every time someone builds an installer like
this.

~~~
shredfvz
While it's ok for Meteor to keep doing what they're doing, it's hardly a "knee
jerk security reaction" to criticize their installation instructions.

Story time. I'm at a hotel, connecting to the Web over Tor and using my
distro's package manager (Pacman) to install software. I'm also routing Pacman
over Tor because I trusted the hotel wifi even less than I trusted Tor.
Anyway, Pacman has this wonderful feature of verifying md5sums - fingerprints
of the original source code, as posted by the source code author - from source
packages before installing any of the code onto your system. If the md5sums on
the software you download don't match the author's posted true md5sums,
something is probably wrong. You can tell where this story is going. As I'm
installing a few packages, which I've done numerous times in the past, Pacman
throws a warning: the md5sums don't match. Slightly annoyed, I then download
the software directly from PyPi over the hotel's wifi connection, md5sum it
and lo and behold, it's the correct md5. It's the exact same software version
and everything.

Importantly, the source code must've somehow been modified between the time it
was sent from the AUR/PyPi and when it ended up on my machine. Luckily, the
md5sum check failed and the software didn't install, but it did scare me quite
a bit.

If I had instead been installing Meteor, as per Meteor's current insecure
directions, without checking md5sums or signatures, who knows what could've
happened. The Meteor team should really consider releasing an md5sum,
sha256sum, or better yet sign their packages, because otherwise there's no way
to verify the contents of a download.

The Meteor team clearly has the resources to provide this to the inquisitive.
It is SOP for all major FOSS. I get that there's something to be said about
the ease of releasing packages from GitHub, but imagine if the Linux kernel
did this? What Meteor has right now is ok for alpha software. They certainly
have room to grow.

------
pearkes
I feel like there's a certain point where thoughtfulness trumps speed while
building something.

Why is there such a desire to do X in N minutes? How can something unique and
truly useful come from 5 shell commands?

~~~
scottmagdalein
Because accepting an email for a newsletter is not unique and should be able
to be built in as little time as possible.

------
nedludd
"Type this code and run it".

Hey, I can teach you the theory of relativity in 30 seconds: type this
"e=mc2".

~~~
scottmagdalein
This isn't a "learn how to be a programmer" tutorial. This is a "look how easy
Meteor makes getting something simple built and deployed".

So instead of the theory of relativity, how about using a calculator to do
your taxes.

~~~
nedludd
Fair enough. But this is still not teaching me much about actually writing an
app in Meteor. It tells me to type the code in, not how it works or what it
all means.

To use the calculator metaphor it would like saying: "enter 75345 + 3455 / 4,
there's your taxes!"

~~~
scottmagdalein
I see. For me, a beginner programmer, this type of thing is really helpful in
explaining what you can do with the language/framework and what the structure
of build/deploy looks like.

------
sid6376
Meteor sounded like a really good concept and I wanted to give it a decent
shot. However I could not find a getting started project. The ones I found
were very trivial and did not go much into details. I couldnt really find a
lot of documentation about how to create an app which used 40-50% of the
features which will be used by the majority of the crowd. But I will give it
another shot and probably write a polls app (ala Django getting started) in
meteor.

~~~
javajosh

       meteor create --list
    

Personally, I think the `parties` example is a good one, so you can do:

    
    
       meteor create --example parties
    

Enjoy.

~~~
1qaz2wsx3edc
The parties examples only uses a static map (lame), they make no use of google
maps or leaflets. Try using an infoWindow. You can't, it's not easy. You're
productive will be stone walled with the simplest of integration. (This is a
limit of constant regions and how meteor handles controlling a piece of the
dom). Working with maps or third party libraries is a common task.

So, given that common tasks become stone walled and meteor promises
productive. I'm waiting for 1.0, meteor is all too young.

I do love some parts of the pattern. I'm surprised that it hasn't been done
before; like years ago.

~~~
javajosh
As much as I dislike the whiny tone of your comment, you have a point: Meteor
has problems integrating with some libraries. If a smart-package doesn't exist
for it, the odds of it working are slim. (Try getting jquery ui to work...)

Part of this is because the Meteor use of reactive programming is very
different.

Regarding the whining: projects like this take time and effort to create.
Wanting something "a year ago" ignores the reality that this is what we have
now, and for all it's warts, it's good!

~~~
wavesounds
Lots of non-standard packages here which are easily added like "mrt add
jquery-ui"

<https://atmosphere.meteor.com/>

------
eCa
> $ meteor add email

> This package is automatically configured to send emails (up to 300 per day)
> through Mailgun

I'm not sure I like having 'email' linked to a specific service. But maybe
that's the Meteor way?

~~~
patrickleet
You can use other things, but if you want to use one instantly with zero
configuration, there's this.

~~~
ferrantim
That's correct. Here is a quote from the meteor blog announcing this feature:
" But there's more than just an API. We've partnered with Rackspace's Mailgun
team so that every app deployed with $ meteor deploy can send email right
away, without any annoying configuration process. These automatic accounts are
capped at 200 messages a day, but of course you're not tied to them. You can
use any SMTP server (your own box, a paid Mailgun account, or anything else)
just by setting the $MAIL_URL environment variables, whether you're using our
deploy servers or running your own bundles."

------
orionblastar
I tried it, sent email to myself. Never received it. I typed everything
correct except I replaced the email with my own email orionblastar@gmail.com
there was no error messages as well.

Do I have to install things like sendmail to make it work? If so that needs to
be in the documentation.

Yes I did the meteor add email part, I followed every step.

~~~
sergeyo
Hello,

It looks like you haven't actually deployed the code. Once deployed a free
Mailgun account is created for you behind the scenes and assigned to your app.
To test locally you need to create a Mailgun account and follow instructions
from the "Extra optional step" section.

BR, Sergey

~~~
orionblastar
That is because I don't have a web site to deploy to yet. I wanted to test it
on my Ubuntu box on Apache first before deploying. Why do I have to create an
account on some other web site just so I can send email on my local Ubuntu
machine?

------
doomslice
Just curious, how does Meteor deal with concurrency issues where multiple
clients are making changes to the same objects? Does last update win? How does
this get reflected back to the UI?

Brief example: A grocery list that both my wife and I are editing, deleting,
adding, and re-arranging at the same time.

~~~
jggonz
They go into detail on this in their screen casts and online documentation.

------
don_draper
Why does HN _not_ like MongoDB, but _does_ like Meteor. Meteor uses MongoDB if
you don't know.

~~~
nestlequ1k
MongoDB is pretty popular here. There's just a vocal group of old school RDBMS
lovers who like to hate on everything that isn't PostgreSQL.

~~~
papsosouid
That doesn't seem very accurate. Plenty of "how do I shot database?" people
are very anti-mongo too. Some of that may well be because they feel mongo gets
more mindshare than their preferred nondb, but don't blame postgresql users
for that.

------
bjourne
Great tutorial! If only there was an easy way to store the entered addresses
in a database? Maybe that could be done in the next 5 minutes? :) I've had a
few projects which where basically nothing more than just what was in the
article. Meteor's builtin deploy and free Mailgun will fit perfect for cases
like that.

~~~
acemtp
On the server, add something like:

RegUsers = new Meteor.Collection("regUsers");

RegUsers.insert({email:email});

------
islon
"French Meteor Evangelist" is one of the coolest titles I ever heard. Makes a
great business card.

~~~
acemtp
Good idea! Let's dok it so I'll not forget :)

------
lquist
The great thing about Rails (and Django) was that it was born in the wild. It
was built in the process of solving a real world problem, and
generalized/abstracted from there. Meteor lacks that type of genesis, and I
wonder if that's important.

------
MrBra
Aren't we all scared that some time in the future from now, new kids will have
new tools that will make programming a totally customizable and super-
performing web application as trivial as for example dragging some component
here and there, like for us has been working with new generation programming
environments, compared to i.e. coding asm? This is a part of the hidden
feeling I guess..

Also that then, our present efforts and knowledge will be culturally relevant
but totally unnecessary for developing great new generation apps ?

But...... we have what we have now, and we still code because we like it NOW,
so we should accept the passing of time (and all evolutions it will bring) and
think that we are still doing what we enjoy doing and that we have the luck of
making a life out of it, possibly :)

Only moment to be concerned about the future is when they'll invent a time
machine..

~~~
derringer
You're likely being down voted because since the invention of programming the
field has been continuously becoming "easier" often by leaps and bounds.
However, programmers always remain at the edge of the boundary so there is
continuously more work for programmers, not less. Every component of what made
things "easy" can be improved by making it more flexible, performant etc. and
doing this most believe will always require a skilled programmer.

But to play devils advocate, if we were to create true artificial intelligence
(I guess it would just be intelligence at that point) then not only would
programmers be obsolete, but all of humanity would be obsolete. We'd all just
be WALL-E style mouths to feed. This seems difficult to imagine, but we
already see it happening in some ways. Unemployment is high almost everywhere
and there's no fundamental economic law that every human on the planet can
contribute sufficiently to match said human's consumption.

Essentially what this means is we have two pretty rough options. First, all of
these people fall under the welfare state. The homeless and hungry all get
what they need through governments, NGOs and charities. The other is the
Darwinian approach, nature's great equalizer. Both of these options suck
pretty hard, but that may be the world we're looking at until our robot
overlords turn us into batteries (although it's more likely we'd become pets
if anything at all).

------
readme
Amazon SES is similarly easy, and it works with any language over SMTP

------
SebdL
Good job to Vianney... our French Meteor Earlyvangelist!

~~~
acemtp
Thanks

------
erkin_unlu
two questions: is it easy to get started? is it easy to customize according to
my needs in advanced later stages?

~~~
acemtp
Get started to Meteor? I never create web app so quickly! For the
customization, it depends what are your needs. Meteor is clearly cool to make
collaborative web app;

If it's about Mailgun, you can get started for free without any configuration
and if you want to send more than 300 emails/day later, you can create a
mailgun account and easily integrate your own SMTP credentials into the app
using the steps outlined in the blog.

------
jaequery
whats the difference between mailgun and sendgrid?

~~~
twakefield
Full disclosure: I am the OP and work at Mailgun

This is tough for me to answer objectively, but I'll do my best.

Both services offer many of the same features and eliminate the pain of
managing your own email server. Both services will achieve better
deliverability at scale than managing your own server unless you know what you
are doing and most people aren't interested in diving that deep into email.

Mailgun is very focused on serving developers and that guides our product
roadmap. Therefore, we don't offer features like WYSYWIG newsletter creation
tools. We build everything API first and we strive to make them RESTful,
intuitive and well documented. Admittedly, our GUI / control panel is not the
strongest part of the product. We also focus a lot on incoming email and we
are pretty proud of our inbound email parsing through Routes. Mailgun is owned
by Rackspace (acquired in Aug 2012).

Sendgrid is definitely the largest transactional email sender in the market. I
recently read they do something like 7 billion emails monthly. They have more
tools for non-developers like newsletter creators and support language
wrappers that some developers prefer. They also offer inbound through their
Parse App. Sendgrid is an independent, private company that has raised $27.4mm
in funding according to Crunchbase [1].

My recommendation would be to try both - the docs are all online and both
offer free plans to test with.

[1] <http://www.crunchbase.com/company/sendgrid>

~~~
pfraze
Mailgun sounds like a really good fit for me. I'm running a couchdb server,
and I want to set it up to POST to my DB. Dump straight into my document
store, life is good.

I did a quick try at it and ran into a 415 from couchdb, which means mailgun
didn't send json. Is there a way to configure a route to do that? If not, I'll
have to write a custom _update handler.

~~~
twakefield
Hey pfraze, we do not have a json option for Routes.

~~~
pfraze
Ok, cool. Custom _update handler it is.

------
alecocq
Great article from Vianney , easy to read, easy to understand

------
seivan
Anyone who says "5 minutes implementation" to me, get's a nice and sound "GO
FUCK YOURSELF"

EDIT: Usually it's the business monkey, UX snake oil guys and product leeches
that say "Hey, that will only take like 5 minutes, right?"

~~~
ehutch79
Why is this getting downvoted so much? Just the language I hope. because there
is a point there.

Everytime I see a meteor post, I get the feeling the article is telling me I'd
be a fool to use anything else.

Assuming that's so, can we start talking about things like PCI compliant
meteor apps. And what the security landscape looks like since you can interact
with the data store via your browser's javascript console.

~~~
JPKab
"And what the security landscape looks like since you can interact with the
data store via your browser's javascript console."

By default, Meteor is in a "development" mode where all the security is off
while you get the app doing what you want on localhost. The security is
implemented later by turning off the autopublish feature and using
authentication at the pub/sub level in the "model" component of the MVVM
stack. At this point, when you try to do what they do in the demo, and change
data from the browser console, it will make the change in the client for a
split second, but that change is rejected at the model level, and the client
resyncs with the model and the change is undone in the view.

BTW, I only "learned" (i'm not at all an expert) Meteor a few weeks ago
(although I've been following the project since they first announced it 10??
or so months ago.) It's actually pretty straightforward once you get the hang
of it. But it is unmistakably a BIG FRAMEWORK in the Rails sense, whereas
everyhing else in the Node world is truly modular in the Node fashion, with
full transparency into what's going on. For people who like that, check out
Derby, and it looks like there is some more stuff in the pipeline with Rendr
by the dudes at AirBnB.

