Having used Meteor for a few weeks, I'm always impressed with how much time it is saving me.
One of the unfortunate things about Meteor at the moment is there aren't many open projects to learn from. For others trying to gain insights to best practices through this projects, here are some suggestions I may offer:
Agreed, timestamps are all handled by the server now. No more trusting clients. Also keep in mind this was pushed to HN about 2 hours after development started.
Yeah because it is a tech demo, not a shippable product. There is a huge difference. Sometimes people want to get their feet wet and just play with something. They offer others a chance to follow their commits, and see where the product evolves. This leads to better knowledge sharing, and finding like minded people in the community. Your nick really doesn't reflect your personality in this thread.
It worries me that security is still not a big part of this. I hope most people don't miss the fact that it's simple because it's insecure? Good luck to them solving it without ruining what's a nice idea.
Yep all are effective. Security is something meteor is currently developing and is in very early stages. To shit on them now, when they are still in active development of a product they don't even claim is production ready... is like punching babies in the face. It is completely worthless.
Eh, that issue is not really an issue. Server-side functions are actually a surprisingly elegant way of handling security. Basically, instead of calling Users.remove({}), .insert(), .update(), etc., you create functions on the server that are called from the client. That way, the server controls what you can and can't edit. The end result is still very simple, because you're just calling functions like user_login(), send_message(), etc. instead of operating on the database directly on the client-side.
According to the FAQ they're still working on a built-in user authentication.
If you have to implement a separate, server-side CRUD security check by hand, then I don't see why I would choose Meteor over say Rails or Express plus Backbone.
You wouldn't get. I use backbone every day for my main job, and it's a great tool. Just imagine when frameworks like Meteor are complete and you can minimize a bunch of your boilerplate code.
Just for a quick update. I have made a few commits to address the security problems people noted below. You can no longer reset any collections from the client, or spoof messages from a different user. If people still see issues in the code, you can let me know and I can patch those up too. =)
32 comments
[ 4.7 ms ] story [ 79.6 ms ] threadOne of the unfortunate things about Meteor at the moment is there aren't many open projects to learn from. For others trying to gain insights to best practices through this projects, here are some suggestions I may offer:
Users.find({last_seen: {$lt: (now - 60 * 1000)}}).forEach(function (user) { Users.remove(user._id); });
-> Users.remove({ last_seen: { $lt: (now - 60 * 1000) } });
and
Messages.find({date: {$gt: new Date()}}).forEach(function (message) { Messages.update(message._id, {$set: {date: new Date()}}); });
-> Messages.update({date: {$gt: new Date()}}, { $set: {+new Date() }})
Excellent work otherwise though. I'd love to see more open source projects released with Meteor if anything for others to learn from!
This is like back when Rails was new and everybody was showing off their poorly made CMS that had security issues baked in from the start.
source: https://github.com/spicytuna/InstaChat
you can create rooms like this: http://instachat.meteor.com/room/HackerNews
Sample, in your console type:
Messages.remove({})
or
Users.remove({})
for(var i=0;i<20;i++) {Messages.insert({user: "testuser", text: "yo!", date: new Date()})};
Security stability and scalability are the hard parts.
Meteor.setInterval(function () { Users.remove({}); Messages.remove({}); }, 500);
Being able to send messages asynchronously has been a solved problem for a long while now.
However, judging from the ridiculous amount of xhr messages flying back and forth, perhaps even that isn't done very well yet.
See http://nowjs.com for another implementation of the idea.
If you have to implement a separate, server-side CRUD security check by hand, then I don't see why I would choose Meteor over say Rails or Express plus Backbone.