4.4 Secure Database Methods
In this lesson, we are going to take the database logic that we created in the last lesson and move it into the “api” folder, into a more secure location.
1.Introduction1 lesson, 00:34
2.Up and Running With Meteor3 lessons, 10:36
3.Building a Website With Meteor5 lessons, 36:08
4.Working With Dynamic Data9 lessons, 1:21:35
5.Conclusion1 lesson, 00:35
4.4 Secure Database Methods
In our last lesson, we talked about how to use the insert command for MongoDB to add new user posts to our page. And so we're now able to type values into this text field and see those values immediately show up as a new post on the page. However, there's a small problem. We're doing all of this on the client side, and we're updating the database from the client side. And that's a very insecure way to handle things. So what we wanna do is we wanna use this api folder for what it's meant to be used for. And that's too perform some of these database tasks on the back end. Now, by default, when you create a new Meteor app, it installs something called Insecure and the reason it does this is to make it easier to develop. So you can throw together things like this and these insert statements are really easy to create on the client side. But again it's an insecure thing. It's not something you want to publish live to your website. So I want to remove the insecure package that was installed by default with our app. So we're gonna go to our command prompt where we have Meteor running. And before I forget, let me go ahead and say that all of our files from the last lesson were saved in site 008, and all the ones from all the changes in this lesson will be saved in a new folder called site 009. So let's go to our command prompt and I'm gonna hit Ctrl+C a couple of times to stop our server. And we're still in our social lite folder. And I'm gonna run a command called meteor remove insecure. Again, there is a package called insecure that is installed by default with our app. And we wanna remove that package in order to make it more secure. So I'm gonna hit Enter, and it will perform everything it needs to perform to remove that insecure package. And after a moment, we see that it has been removed, and when we go to our website and refresh it. Actually it's not going to refresh because we need to run our meteor command again. So we'll run meteor to start up our server again and once it's running we'll go back to our browser and refresh and there we go. So we see that our posts are still there but if we try to add a new post. And hit Enter, nothing happens. We can try it all we want but it's not going to allow us to add anymore posts to our collection. If we hit F12 to open up our console, we can see a console message here. This says Insert Failed, Access Denied. So what we need to do now is we need to go back into our code and move this insert statement to the back end by putting it into our API folder and our userposts.js file there. So let's go into that userpost.js file and in order to get this to work, we're gonna need to import something else. So at the very top, I'm gonna say import and then inside curly brackets Meteor from the name space meteor/meteor. I'm also going to import something called check. And you'll notice that this is all lower case. And this allows us to validate data types. So if somebody's trying to save a certain value I can check to see if that value is a string or a number or a boolean value before I allow it to save to the collection. And so we're gonna import check from and then the namespace here is 'meteor/check. And we'll talk about how to use that in just a moment. So we're already exporting a user post here and after we do that, we going to call on an object here called meteor.methods. And as you can see here it's that a very similar to, the way we do helpers and events. And that we have this methods object, and then we have parentheses and curly brackets. And then inside the curly brackets we can add any number of methods here. And these are methods that we're gonna be able to call from the client side. And so we're gonna use these methods here to actually do the database interaction, and then we're simply gonna call those methods from our front end. So what I'm gonna do is I'm gonna create a method, and we're gonna use single quotes here. We're gonna create a method called userposts.insert. And this is gonna look very similar to the methods we created for our events. And so we're gonna need to pass a value into this insert method. We're gonna pass in the text that we've entered into the text field. And so we're gonna save that as a variable called text, and then we'll have our opening and closing curly brackets for that method. Well, now, we can use this check object that we imported, to check the value of this text that has been passed in to make sure that its a string. And the way we do that is we simply type the word check and then in parenthesis the first parameter is the value that we are checking. And we're gonna check the text value again that was passed into our method. And then we have a comma space and then the second parameter is the data type that we're looking for. And the data type here is string. We wanna check to see if the text that was passed in is a string. If it was in a string, it won't let us go any further in this method. So then we'll skip a couple of lines and then we're going to create our insert command, which we can just copy or cut from our body.js file. So we're gonna take this user.posts.insert, cut it and then we'll jump back into userposts.js in the API folder. And we're gonna paste that method and fix the indentation there. And so again, we're passing in this text field, which we called text here in the first place, so we don't need to change anything there. And then we're still setting our created date to a new date and our username to Craig. Later on, we'll talk about how to customize that username. But for now, we're just setting it to Craig every time. But this is a god starting place here. So I’m gonna save our userpost.js file and now I wanna talk about how we can call this method that we’ve created. And it’s a little bit different than the way I would normally think about calling a method. But we're gonna go back into our body.js file and here in our code where we were creating the insert statement, instead we're gonna do something called meteor.call. And we're gonna have to import this same meteor statement into this file. So let's go back to userposts.js and let's just copy that first import there. And then we'll go back into body.js, then I'm gonna paste that right at the top. And then again back inside our submit event here, I'm gonna point to meteor and then we're gonna call in a method named call. Inside this call method we're going to type in the name of the method that we wanna call, and the name of the method is userposts.insert. And we're gonna need the quotation marks as well, so we'll highlight all of that and copy it. And then we'll paste it here inside the parentheses for Meteor.call. So we're gonna call the userposts.insert method and we also need to pass into it our text value here. So we're gonna say comma space, and then text. And then just like before, we're gonna clear the value of our text field after we do that. So hopefully, now that our insert statement is taking place in the api folder, hopefully it will work. So let's save our body.js file and let's jump back into our browser. And when it refreshes, we gonna try again. Here we go, hit enter and now we see that it's saving just fine, just like it was before. So again, this is just a more secure way of saving data to your database. If you're just creating a little personal project that you're only gonna keep on your computer and it doesn't really matter. You can keep that insecure package installed on your application. But if you're going to publish this live, you want to remove that insecure package and then move all of your database logic into that api folder. So thank you for watching and I'll see you in the next lesson.