meteor: Creating users using accounts-password on the server side

Question

I am creating a user registration web page using meteor accounts-password. I don't want a user to login immediately after registration, so I am sending the request from the client to the server and the server invokes Accounts.createUser({username: someusername, password: somepassword}). The purpose of the registration page is that there is an admin user who registers other users. Some of the users have special privileges which allows them to login in the future.

My question is, when the client sends a request to the server, say for example,

var userParams = {username: someusername, password: somepassword}
Meteor.call("addUser", userParams)

am I sending the password as plain text over the wire from the client to the server? Sorry if this sounds like a stupid question. However, I looked at the traffic between the client and the server using wireshark and I didn't notice that the plain text password was in the IP packet.

I would like to use the functionality of accounts-password because I want registered users with special privileges to login and logout later on.

So, I was wondering could someone please shed some light on this issue? Has someone else done something like this before (i.e. register users on the server side from a client request)? I would like to hear your recommendations.

Answer 1

Best way to handle this scenario is accounts-password Accounts.sendEnrollmentEmail option.

var user_id = Accounts.createUser({email: someemail,username: someusername});
Accounts.sendEnrollmentEmail(user_id);

You can create an account without a password, allowing the user to add a password later through a link sent to their email address.

If this solution goes with your requirement there are few more things to know.

The callback function to call after the user has clicked on the link in the email is set using the register function Accounts.onEnrollmentLink.

According to the documentation, next step is to pass the token to the Accounts.resetPassword function. The token and the done method are passed as arguments to Accounts.onEnrollmentLink. Done method is to resume the normal user login process. Accounts.resetPassword function can be put on the client side.

Read the documentations carefully for additional information.

Answer 2

In reality any webapp that involves creating user accounts and having users pass their login credentials should be done over HTTPS. With HTTPS enabled passing a password from the client to the server should not be an issue.

Answer 3

If you already have users and want to create anthers users, using "admin" account i recommend you to use this package alanning/meteor-roles

And use this code

on the projectName/server/server.js use this method

Meteor.methods({
 createUsers: function(email,password,roles,name){
   var users = [{name:name,email:email,roles:[roles]},
               ];
.each(users, function (user) {
 var id;
id = Accounts.createUser({
 email: user.email,
 password: password,
 profile: { name: user.name }
 });
if (user.roles.length > 0) {
      Roles.addUsersToRoles(id, user.roles);
     }
    });
},
   deleteUser : function(id){       ///Some Delete Method (ignore if dont needed)
  return Meteor.users.remove(id);
  },
});

on the same file.js on another file like projectName/server/publish.js publish roles

//publish roles
  Meteor.publish(null, function (){ 
   return Meteor.roles.find({})
   })
Meteor.publish("Super-Admin", function () {
    var user = Meteor.users.findOne({_id:this.userId});

     if (Roles.userIsInRole(user, ["Super-Admin"])) {
    return Meteor.users.find({}, {fields: {emails: 1, profile: 1, roles: 1}});
     } 
  this.stop();
      return;
   });

      Meteor.publish("Admin", function () {
   var user = Meteor.users.findOne({_id:this.userId});

    if (Roles.userIsInRole(user, ["Admin"])) {
    return Meteor.users.find({}, {fields: {emails: 1, profile: 1, roles: 1}});
   } 
  this.stop();
 return;
  });
  Meteor.publish(null, function (){ 
 return Meteor.roles.find({})
 })

Now on the projectName/client/register/register.html use this template

<template name="register">
  <form id="register-form" action="action" >
    <input type="email" id="register-email" placeholder="Nombre Nuevo Usuario">
    <input type="password" id="register-password" placeholder="Password">        
      <select id="register-rol" class="form-control">
         <option value="Admin" selected>Admin</option>
        <option value="Super-Admin" selected>Super Admin</option>
        <option value="Normal" selected>Normal</option>
     </select>
   <input type="submit" value="Register">
  </form>
<!-- List and button with delete -->
{{#each users}}
      <li id="user"><h6>{{email}}</h6><h6>{{roles}}</h6></li>
        <button id="deleteUser" class="btn btn-danger btn-xs" > Borrar Usuario        {{email}}       </button>
     {{/each}}
</tempalate>

and on projectName/client/register/register.js

 Template.registrar.events({
 'submit #register-form' : function(e, t) {
e.preventDefault();    
 var email = t.find('#register-email').value,
 password = t.find('#register-password').value,
  roles = $( "#register-rol" ).val();
Meteor.call("createUsers", email, password,roles);
 return false;
  },
'click #deleteUser' : function(event,template){
 var idUsuario= this._id;
 Meteor.call('deleteUser',{_id:idUsuario})
 }
});


//Helper for the {{each}} on the .html
Template.registrar.helpers({
     users: function () {
     return Meteor.users.find();
   },
    email: function () {
    return this.emails[0].address;
    },
   roles: function () {
   if (!this.roles) return '<none>';
return this.roles.join(',');
  }
  });

and finally on the Subscription.js subscribe to roles

Meteor.subscribe('Admin');
Meteor.subscribe('Super-Admin');

now with this code you can use the helpers like this

 {{#if isInRole 'admin'}}
    <h1> hello Admin </h1?
   {{else}}
   <h1> sorry bro just admin can look at this page</h1>  
  {{/if}}

Using this you have better control of how users works and what user can see on the templates, you can create the type of roles you want just use the same logic

GL.