Hubert OG
Hubert OG

Reputation: 19544

Verify user password in Meteor

There are some irreversible actions that user can do in my app. To add a level of security, I'd like to verify that the person performing such an action is actually the logged in user. How can I achieve it?

Upvotes: 10

Views: 5572

Answers (3)

PrestonDocks
PrestonDocks

Reputation: 5428

I have found the best way to validate the users password is to use the Accounts.changePassword command and pass in the same password for old and new password. https://docs.meteor.com/api/passwords.html#Accounts-changePassword

Accounts.changePassword(this.password, this.password, (error) => {
  if(error) {
    //The password provided was incorrect
  }
})

If the password provided is wrong, you will get an error back and the users password will not be changed.

If the password is correct, the users password will be updated with the same password as is currently set.

Upvotes: 0

David Weldon
David Weldon

Reputation: 64342

I can help with the first question. As of this writing, meteor doesn't have a checkPassword method, but here's how you can do it:

On the client, I'm going to assume you have a form with an input called password and a button called check-password. The event code could look something like this:

Template.userAccount.events({
  'click #check-password': function() {
    var digest = Package.sha.SHA256($('#password').val());
    Meteor.call('checkPassword', digest, function(err, result) {
      if (result) {
        console.log('the passwords match!');
      }
    });
  }
});

Then on the server, we can implement the checkPassword method like so:

Meteor.methods({
  checkPassword: function(digest) {
    check(digest, String);

    if (this.userId) {
      var user = Meteor.user();
      var password = {digest: digest, algorithm: 'sha-256'};
      var result = Accounts._checkPassword(user, password);
      return result.error == null;
    } else {
      return false;
    }
  }
});

For more details, please see my blog post. I will do my best to keep it up to date.

Upvotes: 21

Sean Yang
Sean Yang

Reputation: 268

I haven't done this before, but I think you will need something like this on your server

    Accounts.registerLoginHandler(function(loginRequest) {
        console.log(loginRequest)
        var userId    = null;
        var username  = loginRequest.username;
        // I'M NOT SURE HOW METEOR PASSWORD IS HASHED...
        // SO YOU NEED TO DO A BIT MORE RESEARCH ON THAT SIDE
        // BUT LET'S SAY YOU HAVE IT NOW
        var password  = loginRequest.password;

        var user = Meteor.users.findOne({
            $and: [
                {username: username},
                {password: password} 
            ]
        });
        if(!user) {
            // ERROR
        } else {
            // VERIFIED
        }
    });

then you can call this function from the client side like this:

    // FETCH THE USERNAME AND PASSWORD SOMEHOW
    var loginRequest = {username: username, password: password};

    Accounts.callLoginMethod({
        methodArguments: [loginRequest]
    });

I have a project on github for different purpose, but you can get a sense of how it is structured: https://github.com/534N/apitest

Hope this helps,

Upvotes: 0

Related Questions