This package is deprecated as there are a lot of alternatives for the functionality of this package:
- Meteor Core Rate Limiter
- doctorpangloss:method-hooks
Protection against attacks by rate limiting remote calls
Home Page: https://atmospherejs.com/matteodem/easy-security
This package is deprecated as there are a lot of alternatives for the functionality of this package:
I20160126-10:41:18.479(4)? Exception while invoking method 'Mongol_verifyDoc' Error: Did not check()
all arguments during call to 'Mongol_verifyDoc'
I20160126-10:41:18.480(4)? at Object.Match._failIfArgumentsAreNotAllChecked (packages/check/matc
h.js:112:1)
I20160126-10:41:18.480(4)? at maybeAuditArgumentChecks (packages/ddp/livedata_server.js:1614:1)
I20160126-10:41:18.480(4)? at packages/ddp/livedata_server.js:648:1
I20160126-10:41:18.480(4)? at packages/ddp/livedata_server.js:546:1
I20160126-10:41:18.480(4)? at [object Object]._.extend.withValue (packages/meteor/dynamics_nodej
s.js:56:1)
I20160126-10:41:18.479(4)? at [object Object]._.extend.throwUnlessAllArgumentsHaveBeenChecked (p
ackages/check/match.js:357:1)
I20160126-10:41:18.480(4)? at [object Object]._.extend.withValue (packages/meteor/dynamics_nodej
s.js:56:1)
I20160126-10:41:18.480(4)? at packages/ddp/livedata_server.js:647:1
I20160126-10:41:18.480(4)? at [object Object]._.extend.protocol_handlers.method (packages/ddp/li
vedata_server.js:646:1)
I just updated meteor packages and I started getting the bellow error, could you help me? please.
TypeError: Object [object Object] has no method 'onLogin'
at Package (packages/matteodem:easy-security/lib/server.js:65:1)
at /Users/....../.meteor/local/build/programs/server/boot.js:229:5
Meteor packages:
meteor-platform
jquery
less
chrismbeckett:toastr
bigdsk:inputmask
fortawesome:fontawesome
momentjs:moment
mrt:modernizr-meteor
natestrauser:select2
underscore
underscorestring:underscore.string
twbs:bootstrap
accounts-base
accounts-password
alanning:roles
audit-argument-checks
browser-policy
fastclick
email
iron:router
manuelschoebel:ms-seo
matteodem:easy-security
meteorhacks:kadira
mquandalle:bower
msavin:mongol
natestrauser:animate-css
raix:handlebar-helpers
sacha:spin
settinghead:auto-nprogress
zimme:iron-router-active
aldeed:autoform
aldeed:autoform-select2
aldeed:collection2
aldeed:simple-schema
dburles:collection-helpers
matb33:collection-hooks
nimble:restivus
tap:i18n
aldeed:tabular
reywood:publish-composite
meteorhacks:unblock
Say I have a simple Meteor method that throws Meteor.Error like this:
easySecurityTest: function() {
throw new Meteor.Error('Something is wrong (test)');
return true;
}
I call it on the client like this:
Meteor.call('easySecurityTest', function(err, res) {console.log(err, res)})
After this page wouldn't respond to any actions unless it's reloaded and an exception is reported on server:
I20141206-20:41:17.290(2)? Exception in setTimeout callback: Error: [Something is wrong (test)]
I20141206-20:41:17.292(2)? at Meteor.methods.easySecurityTest (server/server/server/methods.next.js:37:10)
I20141206-20:41:17.293(2)? at Object.methods.rateLimit.callFunctionsInQueue (packages/matteodem:easy-security/lib/easy-security.js:72)
I20141206-20:41:17.293(2)? at packages/matteodem:easy-security/lib/easy-security.js:116
I20141206-20:41:17.294(2)? at packages/matteodem:easy-security/lib/easy-security.js:92
I20141206-20:41:17.294(2)? at _.extend.withValue (packages/meteor/dynamics_nodejs.js:56)
I20141206-20:41:17.295(2)? at packages/meteor/timers.js:6
I20141206-20:41:17.295(2)? at runWithEnvironment (packages/meteor/dynamics_nodejs.js:108)
This may be related to #2.
Rate limiting fails on an insert when the allow function does not allow the insert to go through. In this case, all future inserts from that sessions are discarded.
Reproduction instructions:
How would you rate-limit something like this[act].apply(this, data)
?
Just to get further clarification, if I add this package, without doing anything else, it will wrap all my Meteor methods, even custom defined one, and limit it to general rate limit of 500ms per connection. I don't need to worry about any of the hooks that you describe unless I want to further customize it.
Is that a correct understanding? Thanks.
We are on Meteor release 1.0.2.1 . After installing easy-security, we get the following error when trying to start the app. Without easy-security, the app is error-free.
Exception in setTimeout callback: Error: Meteor.userId can only be invoked in method calls. Use this.userId in publish functions.
at Object.Meteor.userId (packages/accounts-base/accounts_server.js:19:1)
at [object Object].Meteor.methods.reverify (app/server/collections/users.js:98:16)
at [object Object].methodMap.(anonymous function (packages/meteorhacks:kadira/lib/hijack/wrap_session.js:182:1)
at Object.methods.rateLimit.callFunctionsInQueue (packages/matteodem:easy-security/lib/easy-security.js:72:1)
at packages/matteodem:easy-security/lib/easy-security.js:116:1
at packages/matteodem:easy-security/lib/easy-security.js:92:1
at [object Object]._.extend.withValue (packages/meteor/dynamics_nodejs.js:56:1)
at packages/meteor/timers.js:6:1
at runWithEnvironment (packages/meteor/dynamics_nodejs.js:108:1)
Hi,
When I added this package, I noticed a possible security problem. Check out wat I was trying to do from the browser and below each command is the results. First command failed, but second command onwards worked ! O_O
Timers.update('vsSBHtsgSwL5XXPaP', {$set: {type: 'WAIT'}}); 0 debug.js:41 update failed: Access denied. No allow validators set on restricted collection for method 'update'. Timers.update('vsSBHtsgSwL5XXPaP', {$set: {type: 'WAIT'}}); 0
So this is my method
starPost: (postId) ->
throw new Meteor.Error("not-authorized") unless Meteor.userId()
Posts.update _id: postId,
$addToSet:
starredBy: Meteor.userId()
and it results in the following error - if I'm calling it repetitively and easy security rate limit kicks in
I20150606-14:30:03.123(2)? Exception while invoking method 'starPost' Error: Meteor.userId can only be invoked in method calls. Use this.userId in publish functions.
I20150606-14:30:03.123(2)? at Object.Meteor.userId (packages/accounts-base/accounts_server.js:19:1)
I20150606-14:30:03.123(2)? at [object Object].Meteor.methods.starPost (server/methods/methods.coffee:117:60)
I20150606-14:30:03.123(2)? at Object.methods.rateLimit.callFunctionsInQueue (packages/matteodem:easy-security/lib/easy-security.js:93:1)
I20150606-14:30:03.123(2)? at packages/matteodem:easy-security/lib/easy-security.js:137:1
I20150606-14:30:03.123(2)? at packages/matteodem:easy-security/lib/easy-security.js:113:1
Could it be that the package inserts the Meteor.userId() from the method into the publish function?
How to solve this?
Sad to see this deprecated as not all of us can use Meteor v1.2
https://forums.meteor.com/t/ddpratelimiter-on-meteor-1-1-or-other-means-of-throttling-method-calls/17008
It would be great to see a quick explanation of how throttle
, debounce
, and rateLimit
behave differently.
I'm trying to disable this package while running my velocity test suite. Is it possible to set a flag or configuraiton so that this package is completely disabled ?
I tried doing this, but the server methods still run inside the meteor-easy-security wrapper functions.
EasySecurity.config({
general: { type: 'rateLimit', ms: 0 },
methods: {
},
});
thanks.
see info.meteor.com/blog/rate-limiting-in-meteor-core, references #22
I use audit-argument-checks as a default. I noticed when I try and use meteor-easy-security, this leads to the following error:
Exception while invoking method '/charts/insert' Error: Did not check() all arguments during call to '/charts/insert'
Reproduction instructions:
Exception in setTimeout callback: Error: Future resolved more than once
I20141102-19:33:38.191(5.5)? at Object.Future.return (/Users/zulfi/.meteor/packages/meteor-tool/.1.0.35.cvm1jg++os.osx.x86_64+web.browser+web.cordova/meteor-tool-os.osx.x86_64/dev_bundle/lib/node_modules/fibers/future.js:154:10)
I20141102-19:33:38.191(5.5)? at Object.methods.rateLimit.callFunctionsInQueue (packages/matteodem:easy-security/lib/easy-security.js:71)
I20141102-19:33:38.191(5.5)? at packages/matteodem:easy-security/lib/easy-security.js:111
I20141102-19:33:38.191(5.5)? at packages/matteodem:easy-security/lib/easy-security.js:87
I20141102-19:33:38.191(5.5)? at _.extend.withValue (packages/meteor/dynamics_nodejs.js:56)
I20141102-19:33:38.191(5.5)? at packages/meteor/timers.js:6
I20141102-19:33:38.192(5.5)? at runWithEnvironment (packages/meteor/dynamics_nodejs.js:108)
Deprecate the package as there are other alternatives for the functionality that this package provides.
Hi, great package, thanks! Is there a way to define a global hook that applies to all methods? Even better would be the ability to further give methods
and ignoredMethods
. If not, consider this a FR :)
My current use case is I don't want clients who are not logged in to be able to call any methods.
Hi, nice work. I would like to extend this package in order to cover another case. However, I wanted to discuss with you before to understand if it makes sense or if it is already on your roadmap.
I would like to limit the number of calls per connection of a given method to a fixed daily/hourly number. For example, "methodA" can be invoked at most three times in an hour. I do not think this case can be reduced to the existing ones because I do not want to limit how often "free calls" are fired. One can spend his three calls in few milliseconds without no rate limit.
A case study could be a freemium service.
Does it make sense?
https://github.com/matteodem/meteor-easy-security/blob/master/lib/easy-security.js#L46 change to .apply and write tests
Delay calls by a fixed amount of ms to simulate asynchronous calls when developing locally. Could be super useful for development, or is there already an existing solution?
If I start a blank app with the following methods:
Meteor.methods({
foo: function() {
console.log('in foo');
Meteor.call('bar')
console.log('bar called');
},
bar: function() {
console.log('in bar');
}
})
Everything works as expected. However when I add meteor-easy-security
the call to bar
causes silent failure and then subsequent calls to 'foo' do nothing either.
Hey,
So i tried using the accounts-entry package by josh owens, but i have run into a problem with accounts-entry and easy-security
on signup , i was getting this error
After a bit of debugging, the error was being produced in or around here
I don't know why this was occurring,
for the moment, i had to remove the easy-security package.
After meteor update --release [email protected]
this is what I get
at meteor://💻app/packages/matteodem_easy-security/packages/matteodem_easy-security.js:145:1
at meteor://💻app/packages/matteodem_easy-security/packages/matteodem_easy-security.js:121:1
Happens in this repo after just adding the package, no actual making use of it, just meteor add matteodem:easy-security
https://github.com/markusgattol/todos
When I switch from
EasySecurity.config
general:
type: 'throttle'
ms: 2000
to
EasySecurity.config
general:
type: 'debounce'
ms: 2000
I get on the server: => Exited with code: 1
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.