

Meteor chat app - zquestz
http://github.com/zquestz/simplechat

======
ukd1
It worries me that security is still not a big part of this. I hope most
people don't miss the fact that it's simple because it's insecure? Good luck
to them solving it without ruining what's a nice idea.

Sample, in your console type:

Messages.remove({})

or

Users.remove({})

~~~
cmelbye
Eh, that issue is not really an issue. Server-side functions are actually a
surprisingly elegant way of handling security. Basically, instead of calling
Users.remove({}), .insert(), .update(), etc., you create functions on the
server that are called from the client. That way, the server controls what you
can and can't edit. The end result is still very simple, because you're just
calling functions like user_login(), send_message(), etc. instead of operating
on the database directly on the client-side.

~~~
arturadib
According to the FAQ they're still working on a built-in user authentication.

If you have to implement a separate, server-side CRUD security check by hand,
then I don't see why I would choose Meteor over say Rails or Express plus
Backbone.

~~~
zquestz
You wouldn't get. I use backbone every day for my main job, and it's a great
tool. Just imagine when frameworks like Meteor are complete and you can
minimize a bunch of your boilerplate code.

------
nicklovescode
Having used Meteor for a few weeks, I'm always impressed with how much time it
is saving me.

One of the unfortunate things about Meteor at the moment is there aren't many
open projects to learn from. For others trying to gain insights to best
practices through this projects, here are some suggestions I may offer:

Users.find({last_seen: {$lt: (now - 60 * 1000)}}).forEach(function (user) {
Users.remove(user._id); });

-> Users.remove({ last_seen: { $lt: (now - 60 * 1000) } });

and

Messages.find({date: {$gt: new Date()}}).forEach(function (message) {
Messages.update(message._id, {$set: {date: new Date()}}); });

-> Messages.update({date: {$gt: new Date()}}, { $set: {+new Date() }})

Excellent work otherwise though. I'd love to see more open source projects
released with Meteor if anything for others to learn from!

~~~
shinta42
A quick search through github, i found there are so many open projects out
already, you just have to know how to search. for example,
<https://github.com/Maedi/CometHop>
<https://github.com/jonathanKingston/britto> <https://github.com/chris-
ramon/minitrello> <https://github.com/maeharin/dokoiru>
<https://github.com/tomsoderlund/MathPlay>
<https://github.com/philippkueng/rock-paper-scissors>

------
zquestz
Just for a quick update. I have made a few commits to address the security
problems people noted below. You can no longer reset any collections from the
client, or spoof messages from a different user. If people still see issues in
the code, you can let me know and I can patch those up too. =)

------
user49598
heres mine from a while ago: <http://instachat.meteor.com/>

source: <https://github.com/spicytuna/InstaChat>

you can create rooms like this: <http://instachat.meteor.com/room/HackerNews>

~~~
zquestz
I saw your app on the made with meteor site. You still upgrading it?

~~~
user49598
Haven't made any commits in a while. Waiting for more features from meteor.

------
azat_co
I wasn't able to see my messages. Something is broken?

~~~
zquestz
It auto deletes any messages that have a date greater than the server. Make
sure your clock is set right. =)

~~~
azat_co
Hmm, strange. I'll check it.

~~~
zquestz
I added some variance and pushed a hotfix. It now allows for about 10 seconds
of fluxuation.

~~~
heretohelp
Or you could just have a message pushing and time-handling facility that isn't
pants-on-head retarded.

~~~
zquestz
Agreed, timestamps are all handled by the server now. No more trusting
clients. Also keep in mind this was pushed to HN about 2 hours after
development started.

~~~
heretohelp
Then stop prematurely promoting half-assed code?

This is like back when Rails was new and everybody was showing off their
poorly made CMS that had security issues baked in from the start.

~~~
zquestz
Yeah because it is a tech demo, not a shippable product. There is a huge
difference. Sometimes people want to get their feet wet and just play with
something. They offer others a chance to follow their commits, and see where
the product evolves. This leads to better knowledge sharing, and finding like
minded people in the community. Your nick really doesn't reflect your
personality in this thread.

------
level09
is it possible to generate a non-hackable secret token on the client and
validate it on the server ?

~~~
zquestz
Other way around. Server generates the token and passes it to the client on
login.

