Why does audit-argument-checks raise an exception when all arguments seem checked?

Question

Given the following method definition,

Meteor.methods({
  myMethod : function(foo) {
    //Checking the only argument
    check(foo, String)
    return true
  }
         


        

Answer 1

audit-argument-checks does not make sure that you have checked all arguments that you have defined, it makes sure that you have checked all arguments that were passed.¹

Consider the following examples :

Meteor.methods({
  whale : function(foo) {
    return 'Hello ground!'
  }
})

If from the client we call this method, here is what happens on the server:

Meteor.call('whale') //Nothing happens
Meteor.call('whale', 'foo') //Exception

Passing no parameters means that no exception of audit-argument-checks will ever appear if no check has been written.

---

However, this also means that passing too many parameters will make your method throw.

Meteor.methods({
  ground : function(whale) {
    check(whale, Patterns.cetacea)
    answerTo(whale)
  }
})

Meteor.call('ground', MobyDick) //All is fine
Meteor.call('ground', MobyDick, true) //Exception

If you are having an issue with this it means you are doing your stuff wrong: The client is passing arguments you are not aware of. If it happens during development it means that you don't know which arguments are being passed to your methods which could be an issue.

It can also happen that installed packages use methods with more parameters than expected. Refer to their respective documentations to know exactly what parameters are passed (or just write console.log(arguments)) so that you can make sure to write proper secure code.²

---

¹ : See https://github.com/meteor/meteor/blob/devel/packages/ddp-server/livedata_server.js#L1686
² : Or just write dirty insecure code - check(arguments, [Match.any]) as per the docs