Verify user password in Meteor

StackOverflow https://stackoverflow.com/questions/18214496

Pregunta

There are some irreversible actions that user can do in my app. To add a level of security, I'd like to verify that the person performing such an action is actually the logged in user. How can I achieve it?

  • For users with passwords, I'd like a prompt that would ask for entering user password again. How can I later verify this password, without sending it over the wire?

  • Is a similar action possible for users logged via external service? If yes, how to achieve it?

¿Fue útil?

Solución

I can help with the first question. As of this writing, meteor doesn't have a checkPassword method, but here's how you can do it:

On the client, I'm going to assume you have a form with an input called password and a button called check-password. The event code could look something like this:

Template.userAccount.events({
  'click #check-password': function() {
    var digest = Package.sha.SHA256($('#password').val());
    Meteor.call('checkPassword', digest, function(err, result) {
      if (result) {
        console.log('the passwords match!');
      }
    });
  }
});

Then on the server, we can implement the checkPassword method like so:

Meteor.methods({
  checkPassword: function(digest) {
    check(digest, String);

    if (this.userId) {
      var user = Meteor.user();
      var password = {digest: digest, algorithm: 'sha-256'};
      var result = Accounts._checkPassword(user, password);
      return result.error == null;
    } else {
      return false;
    }
  }
});

For more details, please see my blog post. I will do my best to keep it up to date.

Otros consejos

I haven't done this before, but I think you will need something like this on your server 

    Accounts.registerLoginHandler(function(loginRequest) {
        console.log(loginRequest)
        var userId    = null;
        var username  = loginRequest.username;
        // I'M NOT SURE HOW METEOR PASSWORD IS HASHED...
        // SO YOU NEED TO DO A BIT MORE RESEARCH ON THAT SIDE
        // BUT LET'S SAY YOU HAVE IT NOW
        var password  = loginRequest.password;

        var user = Meteor.users.findOne({
            $and: [
                {username: username},
                {password: password} 
            ]
        });
        if(!user) {
            // ERROR
        } else {
            // VERIFIED
        }
    });

then you can call this function from the client side like this:

    // FETCH THE USERNAME AND PASSWORD SOMEHOW
    var loginRequest = {username: username, password: password};

    Accounts.callLoginMethod({
        methodArguments: [loginRequest]
    });

I have a project on github for different purpose, but you can get a sense of how it is structured: https://github.com/534N/apitest

Hope this helps,

I have found the best way to validate the users password is to use the Accounts.changePassword command and pass in the same password for old and new password. https://docs.meteor.com/api/passwords.html#Accounts-changePassword

Accounts.changePassword(this.password, this.password, (error) => {
  if(error) {
    //The password provided was incorrect
  }
})

If the password provided is wrong, you will get an error back and the users password will not be changed.

If the password is correct, the users password will be updated with the same password as is currently set.

Licenciado bajo: CC-BY-SA con atribución
No afiliado a StackOverflow
scroll top