I'm writing a meteor app and working on my user registration template.
我正在编写一个流星应用程序并正在处理我的用户注册模板。
Currently I have the following code, imported on the client:
目前我在客户端上导入以下代码:
Template.register.events({
'submit form': function(event){
event.preventDefault();
let username = $('[id=input-username').val();
let email = $('[id=input-email]').val();
let password = $('[id=input-password]').val();
Accounts.createUser({
username: username,
email: email,
password: password
}, function(error){
if(error){
Bert.alert( "That username or email is either taken or invalid. Try again.", 'danger', 'growl-top-right' );
// console.log(error.reason);
}
else {
FlowRouter.go('mainLayout');
}
});
}
});
My question is, is it ok to have the Accounts.createUser code on the client or do I need to call this from a meteor method imported on the server? In my head I'm thinking a user can register as many times as they like with different emails / usernames therefore what's the harm in having the code on the client vs making a call to the server.
我的问题是,可以在客户端上使用Accounts.createUser代码,还是需要从服务器上导入的meteor方法调用它?在我看来,我认为用户可以使用不同的电子邮件/用户名注册多次,因此在客户端上使用代码与调用服务器有什么害处。
Thoughts welcome.
2 个解决方案
#1
0
CreateUser is designed to be used from the client. It handles the encryption of the password before it is sent to the server.
CreateUser旨在从客户端使用。它在将密码发送到服务器之前处理密码加密。
#2
0
You can do validations at client side to save time but ideally you should write the code in meteor method on server side and call it on client side via Meteor.call(). In your case I can simply add users using chrome console and can loop it to million times to add random stuff in your db. Csrf attacks are mostly welcome this way. You should also specify collections.allow() and collections.deny() when you are defining a new Mongo.Collection(). Also you should remove autopublish and insecure package from meteor project.
您可以在客户端进行验证以节省时间,但理想情况下,您应该在服务器端以meteor方法编写代码,并通过Meteor.call()在客户端调用它。在你的情况下,我可以简单地使用chrome控制台添加用户,并可以将其循环到百万次以在数据库中添加随机内容。以这种方式欢迎Csrf攻击。在定义新的Mongo.Collection()时,还应指定collections.allow()和collections.deny()。您还应该从流星项目中删除自动发布和不安全的包。
#1
0
CreateUser is designed to be used from the client. It handles the encryption of the password before it is sent to the server.
CreateUser旨在从客户端使用。它在将密码发送到服务器之前处理密码加密。
#2
0
You can do validations at client side to save time but ideally you should write the code in meteor method on server side and call it on client side via Meteor.call(). In your case I can simply add users using chrome console and can loop it to million times to add random stuff in your db. Csrf attacks are mostly welcome this way. You should also specify collections.allow() and collections.deny() when you are defining a new Mongo.Collection(). Also you should remove autopublish and insecure package from meteor project.
您可以在客户端进行验证以节省时间,但理想情况下,您应该在服务器端以meteor方法编写代码,并通过Meteor.call()在客户端调用它。在你的情况下,我可以简单地使用chrome控制台添加用户,并可以将其循环到百万次以在数据库中添加随机内容。以这种方式欢迎Csrf攻击。在定义新的Mongo.Collection()时,还应指定collections.allow()和collections.deny()。您还应该从流星项目中删除自动发布和不安全的包。