How Meteor Toys Bring Back the Joy of Autopublish and Insecure

Every Meteor application starts with two fairly loved and hated packages; autopublish and insecure. These two allow you to quickly write to and read from the database without having to care about security.

If I had to call it — it’s probably the secret sauce that makes Meteor so good for prototyping and hackathons. It lets you focus on your application now, and the piping later.

A lot of people express concern over these packages because they pose an obvious security risk. What’s not always understood is these packages are mean’t to come off at some point in the development process, followed by the implementation of the needed security protocols.

In a lot of ways, they make security implementation easier because you’ll know what you need to implement after you design your application features.

However, once they’re off, they are quickly missed for the debugging flexibility they offer. In this blog post, I will share with you two packages I created to bring the flexibility of those packages back to you, while still respecting the security rules of your application.

It’s a zero-compromise solution.

From insecure to Mongol

The main perk of insecure are the super powers you get for working with the database. You can perform any action right from the client, but once you take the package off, you have to manually specify every action the client is allowed to make.

Enter Mongol — a client-side MongoDB admin tool made specifically for Meteor. The first thing is does is visualize your collections, so you don’t have to run a query every time you want to see what’s going on. It then goes a step ahead by letting you modify any document you’re looking at, whether you have insecure on or not.

It achieves this effect through a a special set of methods that allow it to perform any action on any document. You’d call the methods right through the Mongol UI, and after they are executed, Meteor instantly syncs the new document to your client.

Following the easy editing and removal of documents, Mongol also helps you insert new documents. However, I decided to take a different approach to document insertion. Rather than letting you start with a blank document, Mongol has you duplicate a pre-exisiting document.

This helps carry over much of the data that you may have needed to re-enter. Then, you edit that new document as you wish. However, If there isn’t a document to duplicate, it will ask you insert a new one.

From autopublish to AutoPub

It’s very much the same story with autopublish. It’s great for quickly getting your documents to the client, and then you’d take the package off in favor having your own secure publications and subscription.

However, the package becomes easily missed as you try to debug your publications, see if a write is going through properly, etc.

I found a no-compromise solution here by implementing an autopublish feature into Meteor Toys that you can toggle on or off. It’s off by default, and just a click away from publishing all your documents to the client where it’s enabled.

Note: some people thought it does meteor add/remove autopublish, but to clarify actually has its own autopublish mechanism, so it works instantly.

Wait, did you forget about security?

There’s a good reason we remove insecure and autopublish from our apps, and by this point those reasons are probably crossing your mind in regards to Mongol and AutoPub.

However, the story here is different because all Meteor Toys packages (Mongol and JetSetter included) are marked as ‘debugOnly’ packages. Such packages are automatically exempt by Meteor’s build process from going into your production code.

You can see it for yourself by following these simple steps: 1. meteor create — examples “todos” 2. cd todos 3. meteor add msavin:mongol 5. meteor 6. open localhost:3000, activate Mongol by pressing Control + M in your app 7. meteor deploy woot || meteor --production 8. activate Mongol (or not) by pressing Control + M in your app)

The debugOnly packages are marked as so in the package.js file, and they only run when the application is in debug (development) mode. You can see a sample of its implementation <a href=”https://github.com/msavin/Mongol/blob/master/package.js">here</a>.

Let’s Get You Started

Meteor Toys with AutoPub enabled.

In short, autopublish and insecure are a clever way to get your application to usability quickly, and Meteor Toys take the next step to help you retain the flexibility they offer while still helping make sure your application operates in its natural state.

Mongol is available as an open source package on Atmosphere and GitHub. If you like it, you’d also like JetSetter, its counterpart for managing Session variables. AutoPub is available as part of the premium Meteor Toys bundle.

Temporary Message: Meteor Toys are currently on sale through the Discover Meteor promo link. If you hadn’t, check out the story of Meteor Toys on their blog.