[sergiotapia]

I looked into Meteor and it's amazing how everything clicks together. It's just such a drastic change in complexity and feels like a breath of fresh air.

The one thing that made me drop it as the choice for a primary stack was the fact that it's tied so heavily into MongoDB. Meteor has a mongodb 'server' replicated client side, that's how they can actually make Meteor so god damn snappy, it's latancy compensation.

If they were to integrate something like Postgresql into Meteor, I would easily switch over from Rails and it would become my de-facto web stack.

I'll just keep building Rails APIs with EmberJS clients until then, I do hope it's soon though. I loved working with Meteor.

[joeriel]

SQL support is the biggest ask on their Trello board.

https://trello.com/b/hjBDflxp/meteor-roadmap

There are some good packages on Atmosphere for PostgreSQL, but I think that it needs to be officially supported/integrated for many people to be comfortable with it.

[ahachete]

In ToroDB (https://github.com/torodb/torodb) we are currently working on implementing MongoDB's oplog server-side. ToroDB would work seamlessly with Meteor, meaning that at the end of the day your data sits on a PostgreSQL database. Watch out our next coming release! :)

[methehack]

Wow ToroDB looks really cool! Good idea!

[fiatmoney]

Yes, Mongo dependency is a dealbreaker for many people who would like to be using it.

[juliangregorian]

I'm apprehensive of the security model. Everything is highly ease-of-use optimized, to the point that you can query Mongo via the browser console.

My preferred "easy/simple" model of app design is Firebase (backend and JS lib for pure web clients), who have security figured out.

[imslavko]

Meteor's security model allows app developer to validate any operation or RPC going through, based on the arguments or userId (by writing JS code). Also, the published set is controlled by publications, allowing to publish only filtered out data with specific fields.

Unlike Firebase, Meteor actually allows you to send "first top 20 guest posts from November" as an example. The filtering can happen on the server, before sending the data and the data model usually fits into a sets of documents in set of collections. In Firebase, everything is part of a big subtree that is not filterable (the last time I checked).

Firebase is a good choice for keeping your real-time data. But knowing its limitations is as important as knowing its strengths.

[joeyyang]

Hey there, I'm Joey, a Firebase dev — last November, we shipped advanced querying support[0] to address this! You can now use orderByChild(), orderByKey() or orderByPriority() to build a query.

We also have limitToFirst(), limitToLast(), startAt(), endAt(), and equalTo() methods to further filter your data.

This allows you to build queries like this:

  ref.orderByChild("weight").limitToLast(2).on("child_added", function(snapshot) {
    console.log(snapshot.key());
  }); 

Please check out our querying docs[1], and let us know if you have any questions!

[0] https://www.firebase.com/blog/2014-11-04-firebase-realtime-q...

[1] https://www.firebase.com/docs/web/api/query/

[imslavko]

This is great! I didn't doubt that Firebase will roll out features to paginate and sort data. I also don't doubt that Firebase will implement filtering in the future. Great work.

[sergiotapia]

What you're saying is only true on a barebones default Meteor app. Please don't comment on a tool if you've never used it for anything other than a hello world, you're doing a very sophisticated tool a huge disservice.

You remove the autopublish package and you can no longer query records from the client.

[juliangregorian]

There's no need to be rude. How many people are going to not know that, or forget? Meteor is highly tailored towards beginners. Additionally, Mongo's out-of-the-box security policies are extremely lax as well, and unsecured Mongo instances in the wild are a huge problem.

[matthewmacleod]

I don't necessarily disagree with you, but it's still an astonishingly bad practice as a default.

If there's one thing we should have learned from Rails' various security failures, it's that things must be secure by default.

[debaserab2]

There's no excuse for insecure defaults.

[matthewdav]

I disagreed, in OWASP: It is important to understand that by no means does “Secure Defaults” mean turning off all possible network applications or sockets and services. And neither do Secure Defaults mean a 100% secure environment. But, they should ensure the least number of possible loopholes and fewer drawbacks.

Likewise, no matter what languages, majority are insecure by defaults.

[debaserab2]

What other tech stack allows you to publicly query the application data source by default? I think it's fair to say that shouldn't be possible and I'd be hard pressed to believe that OWASP would disagree with that.

[accounthere]

It's more of a development default.

[Xixi]

A lot of software engineers are wary of frameworks/tools with an emphasize on ease-of-use over security, or benchmarking over data integrity. Rightly so in my opinion.

It leaves a "I should triple check everything again before going live since I cannot trust the tool to do its job" thread running permanently in the back of the mind. It's such a slowdown. Don't get me wrong, it's important to read the documentation and double check settings, but insanity by default does not build trust.

That said in the case of meteor beyond the autopublish package that should be off by default, I think everything is spot on. I mostly use PostgreSQL, so I cannot use it as much as I'd like to, but hopefully that will change.

[sergiotapia]

I agree with what you're saying, but a lot of people make it look like Meteor allows XSS and SQL Injection by default. You really only need to remove autopublish from the get go right after meteor create foobar and you begin with a secure app.

[danellis]

You should never have to do anything to become secure. The mantra is: secure by design; secure by default; secure by configuration.

[matthewdav]

In OWASP: It is important to understand that by no means does “Secure Defaults” mean turning off all possible network applications or sockets and services. And neither do Secure Defaults mean a 100% secure environment. But, they should ensure the least number of possible loopholes and fewer drawbacks.

[nostrademons]

Anyone remember register_globals in PHP?

[KurtMueller]

Hi Sergio,

One of the things I like about rails (and ember-cli) is that it is "secure-by-default". If I am going to make a choice that potentially has security vulnerabilities, I have to deliberately make that choice - I basically have to create a whitelist of things I want to allow.

[jonlachlan]

> "Everything is ease-of-use optimized, to the point that you can query Mongo via the browser console."

meteor remove autopublish

meteor remove insecure

The Mongo-accessible frontent is genius. This makes your prototyping much faster, and you can totally skip the "model" layer of your frontend. It matches your backend automatically. No further configuration needed. No REST endpoints, no callbacks. And yes, it's secure.

Meteor's security model is very well-designed. The list of things left for the developer to do, security-wise, is very short.

It's still important to learn your tools and understand how security works.

http://docs.meteor.com/

http://security-resources.meteor.com/

https://github.com/themeteorchef/security-essentials

https://www.youtube.com/watch?v=6_3pomxyp8M

[keithwhor]

Well, you can start using JS for your API server, at least. Nodal [1], a full-featured API server and framework for iojs was just released yesterday with full PostgreSQL integration. (Migration and schema support, to boot.) :)

I'm not a huge fan of isomorphic JavaScript. While it seems great for prototyping, I have doubts on its stability, security, and ability to scale. It seems to be a knee-jerk reaction to just having the technology to write web-client and web-server code in the same language and the emergence of SPAs.

The thing is, we've had working client-server application architecture (which is what an SPA is) for decades. Every multiplayer game you've ever played. Chat programs. Etc. Nobody would risk the headache of tightly-coupling your data layer, presentation layer, and business layer just to save a few lines of code. We separate our concerns in our code itself with MVC frameworks, why are isomorphic frameworks trying to tightly-couple our actual application layers? It's a little bit contradictory to me.

While Meteor seems like a great tool for a couple of newbie developers to rapidly prototype an idea, I'm still not convinced it has the potential to grow into a reasonable architecture.

[1] https://github.com/keithwhor/nodal

[wishinghand]

Postgresql would be great, though if they wanted to keep the document style database of Mongo, maybe they could use something like RethinkDB and use its javascript driver?

[rglover]

Folks are working on it: https://github.com/numtel/meteor-pg. Also there are plans for core support down the road.

[sergiotapia]

Oh I know, the guys are very open about the roadmap, they have a Trello board. I'm counting the days where I can finally go all in with Meteor. Everyone I know IRL is excited for Meteor but Mongo is what kept everyone sort of away.

[KurtMueller]

I've heard the sales pitch for ember and ember-cli and I've seriously begun developing with Ember for the past 2 weeks. So far, I really like the tooling around Ember but am not a huge fan of the actual framework itself.

I mean, you have routers, routes, controllers, views, templates, and components - how many concepts do you need to display a ui?

Maybe it's just that I can't see the forest through the trees. Perhaps you could help me gain this perspective?

[andreisoare]

You have just one router, and that's only a config file that maps URLs to routes.

They're dropping controllers and views in a month, with Ember 2.0. They're being replaced by components.

So really you will only work with routes and components - which should make things much easier to understand.

[KurtMueller]

I know that there are talking about "routable components" with one-way data flow (ala react/flux), which hopefully comes soon. Are templates still being kept?

It seems like Ember is going to become a bit more like React (which I'm very fine with).

[javajosh]

My take on this is that Meteor (and mongo) is perfectly sized platform for individuals and SMBs. If you make a consumer thing meteor will work too as an MVP, but you'd almost certainly rewrite the backend to use more bespoke code (e.g. in Java REST SOA over Postgres etc.)