The Meteor site has a tutorial around building a “ToDo App”, in one of three flavors – Blaze, Angular, and React.
I’m not quite sure what it means to choose one of these flavors (see more in the feedback section). It looks like Blaze is some sort of a default, or the recommended one, based on some links pointing directly to it, and the fact that it is the first in the list. I’m already using Blaze in the Meteor intro Coursera course, so to spice things up, I randomly decided to go with React for this tutorial.
Do read on for the an exciting and detailed accounting of my step-by-step experience with the tutorial! 🙂 For your convenience, I have shared my tutorial implementation in a GitHub repository. It shouldn’t be very different from the official Meteor tutorial repository, but I took the liberty to add some tweaks of my own.
tl;dr: The tutorial was excellent. It is well structured. Things worked as expected. It is clear and concise. I feel I learned a lot in a short time. I do have some feedback to share, about the lack of clarity about Blaze vs. Angular vs. React, the mobile section, and the insecure defaults that are built-in.
Going through the ToDo App With React tutorial
In this section I document my step-by-step progress through the TODO App With React tutorial. It’s quite verbose 😉 . See also my tutorial GitHub repository. Feel free to jump straight to the feedback section.
For each step, I took a partial screenshot of the tutorial instructions (in case the tutorial itself changes in the future), and one or more screenshots of the result.
Step 1: Creating your first app
Step 2: Defining views with React components
Step 3: Storing tasks in a collection
Step 4: Adding tasks with a form
This step had a troubling “side note” relating to security:
I will get back to that in the feedback section.
Step 5: Checking off and deleting tasks
Step 6: Deploying my app
I can’t say I feel comfortable with deploying a definitely insecure app. But it is in no way an app that handles sensitive or personal data, there is no login support, and it is deployed to the Meteor servers – so if they want me to deploy it, then I guess it’s OK…
I wonder why it took ~20 minutes… (my Internet connection is not that bad!)
Step 7: Running my app on Android or iOS
Interesting, but not enough to go into lengthy installations. Maybe some other time.
Step 8: Storing temporary UI data in component state
Step 9: Adding user accounts
Now, I didn’t like the way old TODO items look “broken”. Here’s a small tweak for displaying a generic name in that case:
Step 10: Security with methods
Step 11: Filtering data with publish and subscribe
It doesn’t make sense to me that any user can delete and check off public tasks of any other user. So I implemented a little tweak that allows only the task owner to do these operations.
Step 12: What’s next?
While working on the tutorial, this way of accessing a text input seemed weird to me:
I also noticed there’s an [open pull request]https://github.com/meteor/simple-todos-react/pull/7) to change
ReactDOM.render, so I applied that too.
As I said above, the tutorial is excellent.
The structure of short and concise steps is clear and instructive. It contains inline snippets of commands that I can copy & paste, and they work. It contains inline snippets of codes with highlighted diffs that I can copy & paste, or manually modify. Every code modification is also an individual git commit, linked to GitHub, which makes it easy to compare what I do to what I should have.
It is clear that I can choose one of three tutorial (Blaze, Angular, React), but there is no clear explanation what it means, and what might be the repercussions of my choice. On the surface, the three choices are equivalent, but some “tutorial” links go straight to the Blaze tutorial (e.g. top nav-bar link, tutorial button from landing page), and the Blaze tutorial is listed first as “TODO App” (and not “TODO App With Blaze”):
This sends a message that Blaze is the recommended flavor, or maybe even default, but not in a consistent way, and with no explanation.
While going through the tutorial, I found myself copying & pasting some React-specific stuff without really understanding what it is doing. I wonder how much React background is needed to start using Meteor with React. Is strong React knowledge a prerequisite? If it is – it should be clearly stated somewhere (e.g., at the beginning of the tutorial).
The “Running on Mobile” section says I can install the meteor mobile SDK’s by running some meteor commands. But when running these commands, I get links to other documentation about manually installing some other environments for mobile development. If these commands are deprecated, there’s no reason for the tutorial to include them anymore – just send me straight to the other docs…
Insecure defaults scare me. I realize that it allows for superior developer experience, but I’m scared nonetheless. See also what KrebsOnSecurity has to say on default insecurity.
I think this is such a big issue, it deserves its own post later on. I’ll hold on a bit with that post until I know more, so please, do refer me to more resources about Meteor security. Some specific alarm bells that went off in my head so far:
- Insecure defaults are dangerous, because developers are lazy, and convenient defaults tend to remain.
- When running and deploying my Meteor app, there was nothing warning me about my app being insecure!
- When platform creators (e.g., MDG) make conscious choices that are insecure, it might be telling about a mindset that is prevalent in the platform, the ecosystem, and the development processes. I don’t really know, I’m just raising my concerns…
- I can accept insecure choices that have good reasons. I believe that in this case the reasoning was “developer productivity” or something like that. I don’t think I’m ready to argue about the root reasoning. I do think that these decisions must come with BIG RED WARNINGS, and not little side notes in late tutorial steps.
I’d love to hear from users in the comments! How many Meteor users took notice of the security-related notes in the tutorial? How many remember to disable insecure packages in new projects? In what stage? How many have deployed insecure projects? Would it bother you if Meteor had secure defaults? (meaning you would need to implement publish-subscribe and methods when starting a new project)
Woohoo! I finished the tutorial! That was fun 🙂