I just updated meteor packages and I started getting the bellow error, could you help me? please.

TypeError: Object [object Object] has no method 'onLogin'
 at Package (packages/matteodem:easy-security/lib/server.js:65:1)
 at /Users/....../.meteor/local/build/programs/server/boot.js:229:5

Meteor packages:

meteor-platform
jquery
less
chrismbeckett:toastr
bigdsk:inputmask
fortawesome:fontawesome
momentjs:moment
mrt:modernizr-meteor
natestrauser:select2
underscore
underscorestring:underscore.string
twbs:bootstrap
accounts-base
accounts-password
alanning:roles
audit-argument-checks
browser-policy
fastclick
email
iron:router
manuelschoebel:ms-seo
matteodem:easy-security
meteorhacks:kadira
mquandalle:bower
msavin:mongol
natestrauser:animate-css
raix:handlebar-helpers
sacha:spin
settinghead:auto-nprogress
zimme:iron-router-active
aldeed:autoform
aldeed:autoform-select2
aldeed:collection2
aldeed:simple-schema
dburles:collection-helpers
matb33:collection-hooks
nimble:restivus
tap:i18n
aldeed:tabular
reywood:publish-composite
meteorhacks:unblock

Say I have a simple Meteor method that throws Meteor.Error like this:

easySecurityTest: function() {
  throw new Meteor.Error('Something is wrong (test)');
  return true;
}

I call it on the client like this:

Meteor.call('easySecurityTest', function(err, res) {console.log(err, res)})

After this page wouldn't respond to any actions unless it's reloaded and an exception is reported on server:

I20141206-20:41:17.290(2)? Exception in setTimeout callback: Error: [Something is wrong (test)]
I20141206-20:41:17.292(2)?     at Meteor.methods.easySecurityTest (server/server/server/methods.next.js:37:10)
I20141206-20:41:17.293(2)?     at Object.methods.rateLimit.callFunctionsInQueue (packages/matteodem:easy-security/lib/easy-security.js:72)
I20141206-20:41:17.293(2)?     at packages/matteodem:easy-security/lib/easy-security.js:116
I20141206-20:41:17.294(2)?     at packages/matteodem:easy-security/lib/easy-security.js:92
I20141206-20:41:17.294(2)?     at _.extend.withValue (packages/meteor/dynamics_nodejs.js:56)
I20141206-20:41:17.295(2)?     at packages/meteor/timers.js:6
I20141206-20:41:17.295(2)?     at runWithEnvironment (packages/meteor/dynamics_nodejs.js:108)

This may be related to #2.

Rate limiting fails on an insert when the allow function does not allow the insert to go through. In this case, all future inserts from that sessions are discarded.

Reproduction instructions:

1. Create an insert allow rule which returns false
2. Attempt collection insertion from the browser console
3. Second and subsequent insertions are discarded

How would you rate-limit something like this[act].apply(this, data)?

Just to get further clarification, if I add this package, without doing anything else, it will wrap all my Meteor methods, even custom defined one, and limit it to general rate limit of 500ms per connection. I don't need to worry about any of the hooks that you describe unless I want to further customize it.

Is that a correct understanding? Thanks.

We are on Meteor release 1.0.2.1 . After installing easy-security, we get the following error when trying to start the app. Without easy-security, the app is error-free.

Exception in setTimeout callback: Error: Meteor.userId can only be invoked in method calls. Use this.userId in publish functions.
at Object.Meteor.userId (packages/accounts-base/accounts_server.js:19:1)
at [object Object].Meteor.methods.reverify (app/server/collections/users.js:98:16)
at [object Object].methodMap.(anonymous function (packages/meteorhacks:kadira/lib/hijack/wrap_session.js:182:1)
at Object.methods.rateLimit.callFunctionsInQueue (packages/matteodem:easy-security/lib/easy-security.js:72:1)
at packages/matteodem:easy-security/lib/easy-security.js:116:1
at packages/matteodem:easy-security/lib/easy-security.js:92:1
at [object Object]._.extend.withValue (packages/meteor/dynamics_nodejs.js:56:1)
at packages/meteor/timers.js:6:1
at runWithEnvironment (packages/meteor/dynamics_nodejs.js:108:1)

Example:

Hi,

When I added this package, I noticed a possible security problem. Check out wat I was trying to do from the browser and below each command is the results. First command failed, but second command onwards worked ! O_O

Timers.update('vsSBHtsgSwL5XXPaP', {$set: {type: 'WAIT'}});
0
debug.js:41 update failed: Access denied. No allow validators set on restricted collection for method 'update'.

Timers.update('vsSBHtsgSwL5XXPaP', {$set: {type: 'WAIT'}});
0

• do additional queue length checks on the server

So this is my method

  starPost: (postId) ->
    throw new Meteor.Error("not-authorized") unless Meteor.userId()

      Posts.update _id: postId,    
        $addToSet:
          starredBy: Meteor.userId()

and it results in the following error - if I'm calling it repetitively and easy security rate limit kicks in

I20150606-14:30:03.123(2)? Exception while invoking method 'starPost' Error: Meteor.userId can only be invoked in method calls. Use this.userId in publish functions.
I20150606-14:30:03.123(2)?     at Object.Meteor.userId (packages/accounts-base/accounts_server.js:19:1)
I20150606-14:30:03.123(2)?     at [object Object].Meteor.methods.starPost (server/methods/methods.coffee:117:60)
I20150606-14:30:03.123(2)?     at Object.methods.rateLimit.callFunctionsInQueue (packages/matteodem:easy-security/lib/easy-security.js:93:1)
I20150606-14:30:03.123(2)?     at packages/matteodem:easy-security/lib/easy-security.js:137:1
I20150606-14:30:03.123(2)?     at packages/matteodem:easy-security/lib/easy-security.js:113:1

Could it be that the package inserts the Meteor.userId() from the method into the publish function?
How to solve this?

Sad to see this deprecated as not all of us can use Meteor v1.2
https://forums.meteor.com/t/ddpratelimiter-on-meteor-1-1-or-other-means-of-throttling-method-calls/17008

It would be great to see a quick explanation of how throttle, debounce, and rateLimit behave differently.

I'm trying to disable this package while running my velocity test suite. Is it possible to set a flag or configuraiton so that this package is completely disabled ?

I tried doing this, but the server methods still run inside the meteor-easy-security wrapper functions.

EasySecurity.config({
    general: { type: 'rateLimit', ms: 0 },
    methods: {
    },
  });

thanks.

see info.meteor.com/blog/rate-limiting-in-meteor-core, references #22

I use audit-argument-checks as a default. I noticed when I try and use meteor-easy-security, this leads to the following error:

Exception while invoking method '/charts/insert' Error: Did not check() all arguments during call to '/charts/insert'

Reproduction instructions:

1. install audit-argument-checks
2. trigger rate limiting delay

Exception in setTimeout callback: Error: Future resolved more than once
I20141102-19:33:38.191(5.5)? at Object.Future.return (/Users/zulfi/.meteor/packages/meteor-tool/.1.0.35.cvm1jg++os.osx.x86_64+web.browser+web.cordova/meteor-tool-os.osx.x86_64/dev_bundle/lib/node_modules/fibers/future.js:154:10)
I20141102-19:33:38.191(5.5)? at Object.methods.rateLimit.callFunctionsInQueue (packages/matteodem:easy-security/lib/easy-security.js:71)
I20141102-19:33:38.191(5.5)? at packages/matteodem:easy-security/lib/easy-security.js:111
I20141102-19:33:38.191(5.5)? at packages/matteodem:easy-security/lib/easy-security.js:87
I20141102-19:33:38.191(5.5)? at _.extend.withValue (packages/meteor/dynamics_nodejs.js:56)
I20141102-19:33:38.191(5.5)? at packages/meteor/timers.js:6
I20141102-19:33:38.192(5.5)? at runWithEnvironment (packages/meteor/dynamics_nodejs.js:108)

Deprecate the package as there are other alternatives for the functionality that this package provides.

Hi, great package, thanks! Is there a way to define a global hook that applies to all methods? Even better would be the ability to further give methods and ignoredMethods. If not, consider this a FR :)

My current use case is I don't want clients who are not logged in to be able to call any methods.

Hi, nice work. I would like to extend this package in order to cover another case. However, I wanted to discuss with you before to understand if it makes sense or if it is already on your roadmap.

I would like to limit the number of calls per connection of a given method to a fixed daily/hourly number. For example, "methodA" can be invoked at most three times in an hour. I do not think this case can be reduced to the existing ones because I do not want to limit how often "free calls" are fired. One can spend his three calls in few milliseconds without no rate limit.

A case study could be a freemium service.

Does it make sense?

https://github.com/matteodem/meteor-easy-security/blob/master/lib/easy-security.js#L46 change to .apply and write tests

Delay calls by a fixed amount of ms to simulate asynchronous calls when developing locally. Could be super useful for development, or is there already an existing solution?

If I start a blank app with the following methods:

Meteor.methods({
    foo: function() {
      console.log('in foo');
      Meteor.call('bar')
      console.log('bar called');
    },

    bar: function() {
      console.log('in bar');
    }
})

Everything works as expected. However when I add meteor-easy-security the call to bar causes silent failure and then subsequent calls to 'foo' do nothing either.

Hey,

So i tried using the accounts-entry package by josh owens, but i have run into a problem with accounts-entry and easy-security

on signup , i was getting this error

After a bit of debugging, the error was being produced in or around here

I don't know why this was occurring,

for the moment, i had to remove the easy-security package.

After meteor update --release [email protected] this is what I get

at meteor://💻app/packages/matteodem_easy-security/packages/matteodem_easy-security.js:145:1
at meteor://💻app/packages/matteodem_easy-security/packages/matteodem_easy-security.js:121:1

Happens in this repo after just adding the package, no actual making use of it, just meteor add matteodem:easy-security https://github.com/markusgattol/todos

When I switch from

EasySecurity.config
  general:
    type: 'throttle'
    ms: 2000

to

EasySecurity.config
  general:
    type: 'debounce'
    ms: 2000

I get on the server: => Exited with code: 1