Mistakes in the first large Meteor project

In the last months, I’ve been working in my first large Meteor project, mine and the company I current work. This application is running over the infrastructure that I posted before “Amazon auto scaling and Meteor”, yes, Galaxy was not available yet 🙂 After some time we realized that even that Meteor do a great job making the complex simple, someone with more experience would be great to point our mistakes and lacks of knowledge. In the first days, this guy “Caio Ribeiro” make a list with improvements that we should do. This list.:

Migrate secret keys from config.js to settings.json

When we just started, our secrets and keys were in config.js file, like that.

As we aren’t using settings.json to centralize this kind os information, we were spreading this through the source files. After the refactoring, we just use Meteor.settings to get this informations.


Kadira informations

This situation is similar to previous one, we were using an file called kadira.js to keep Kadira’s app id and app secret. It was not working properly because we ware sending informations to kadira, even when we were in development mode. We just deleted this file and set Kadira’s environment variables in our production machines.


Create a server/publications directory and split Meteor.publish, one publish per file

Before the refactoring we had a big file called publish.js inside server directory, we wrote all publications there, thousands of lines in the same publish file.

Now we have this directory with many little files named like the publication.


Splitting routes files

This one is pretty similar to the previous one too, we had two big route files, one with all private routes, another one with all the public routes, we just split it in small files inside two directories, public and private.


In the very beginning of this project it was just me, alone, taking care of everything, I had to figure out what I need to do, I mean, business rules, I was building a infrastructure at Amazon and writing code. The advantage is that I knew everything, the disadvantage is that it maybe it would take too long. So, 2 new developers join me and them more 5! After that, the system start to grow faster, from a day to another many features just appear and suddenly I just didn’t know the whole system anymore, but it not happens just with me of course, everybody was building new features and… breaking others without knowing. Was a rain of bugs, people almost having heart attack, sad… that same old story. So, this guy, more experienced start to write tests with velocity and jasmine and today I saw some tests accusing errors after a change 🙂 Remember,  If someday someone tell you that tests doesn’t matter, run, as fast, as far as possible.

Removing Collections.allow()

To every single collection, we were doing something like that.:

Doing that is the same of using the insecure package, the solution? Just remove it and write Meteor.methods. In our case, we were doing both, using Collections.allow() and writing methods, in the same place.


Migrate sensitive Meteor.methods to server/methods

Another problem related to the previous topic “Removing Collections.allow()” was that our methods containing business rules were on both directory “maybe you are using lib instead”. The problem is that our method’s codes were exposed to the client, our business rules were visible. The solution was simple, just create a new directory inside server, called methods and put everything there, that’s it, these codes are safe now 🙂


I hope this informations could be useful for you, even that Meteor looks like pretty easy, good practices are still necessary. But one thing is undeniable, Meteor is really fun and a great option to build playful work environments. By the way, this is the project I’m talking about. https://www.redpass.com.br/ It’s just a pilot for while but soon it’ll be oficial.

9 thoughts on “Mistakes in the first large Meteor project

  1. I’m wondering about moving your meteor methods to /server. How (if at all) are you handling latency compensation? Did you stub all the meteor methods on the client? Also, is it really that important to hide your business rules? I can understand for certain sensitive things to be server only code, but for most insets/updates/deletes the code is so basic it’s probably not worth the effort to hide it.

Leave a Reply