How do you apply the security principles for routing?

That has to be done client side. Does it mean there is no secure way to restrict some routes to specific users. I know about filters in Meteor.Router, but those are defined on the client side.

This is a question asked in this comment by curious2learn.

Unfortunately, you're right, currently there's no secure way to restrict routes to specific users.

In the current version of Meteor, the whole client code is sent to all users at once. It means that all the views and templates are there, and an inclined user will find a way to display them.

This of course does not mean that you shouldn't secure them so that an unprivileged user doesn't enter them by accident, you can do this easily by router filters or by packing the whole template in a conditional. This just means that you shouldn't trust who sees the template, so you shouldn't put a hardcoded sensitive data in one. Again, never trust the client, even your own code (it can be tampered).

The only thing you can control is the data that will be fetched and displayed in said template.

Check out my Accounts Admin UI package. It manages the Roles package which is neatly integrated with Meteor accounts. By default Roles is not published to the Client. The Accounts Admin UI contains a quickstart and notes on how to integrate with Iron Router.

Check out this two resources. 1.https://atmospherejs.com/alanning/roles 2.https://themeteorchef.com/snippets/using-the-roles-package/

Hope they help

Check out https://atmospherejs.com/aumel/security-authorization which is doing the job (with server side permission checks) and is based on the popular https://atmospherejs.com/alanning/roles