发表新帖
发表新帖

Verify user password in Meteor

后端 未结
关注
2 802
耶瑟儿~
耶瑟儿~ 2020-12-01 13:48

There are some irreversible actions that user can do in my app. To add a level of security, I\'d like to verify that the person performing such an action is actually the log

相关标签:
2条回答
  • 执笔经年
    2020-12-01 13:54

    I can help with the first question. As of this writing, meteor doesn't have a checkPassword method, but here's how you can do it:

    On the client, I'm going to assume you have a form with an input called password and a button called check-password. The event code could look something like this:

    Template.userAccount.events({
  'click #check-password': function() {
    var digest = Package.sha.SHA256($('#password').val());
    Meteor.call('checkPassword', digest, function(err, result) {
      if (result) {
        console.log('the passwords match!');
      }
    });
  }
});

    Then on the server, we can implement the checkPassword method like so:

    Meteor.methods({
  checkPassword: function(digest) {
    check(digest, String);

    if (this.userId) {
      var user = Meteor.user();
      var password = {digest: digest, algorithm: 'sha-256'};
      var result = Accounts._checkPassword(user, password);
      return result.error == null;
    } else {
      return false;
    }
  }
});

    For more details, please see my blog post. I will do my best to keep it up to date.

    0 讨论(0)
  • 半阙折子戏
    2020-12-01 14:06

    I haven't done this before, but I think you will need something like this on your server 

    
    Accounts.registerLoginHandler(function(loginRequest) {
        console.log(loginRequest)
        var userId    = null;
        var username  = loginRequest.username;
        // I'M NOT SURE HOW METEOR PASSWORD IS HASHED...
        // SO YOU NEED TO DO A BIT MORE RESEARCH ON THAT SIDE
        // BUT LET'S SAY YOU HAVE IT NOW
        var password  = loginRequest.password;

        var user = Meteor.users.findOne({
            $and: [
                {username: username},
                {password: password} 
            ]
        });
        if(!user) {
            // ERROR
        } else {
            // VERIFIED
        }
    });

    then you can call this function from the client side like this:

    
    // FETCH THE USERNAME AND PASSWORD SOMEHOW
    var loginRequest = {username: username, password: password};

    Accounts.callLoginMethod({
        methodArguments: [loginRequest]
    });

    I have a project on github for different purpose, but you can get a sense of how it is structured: https://github.com/534N/apitest

    Hope this helps,

    0 讨论(0)
 看不清?
提交回复
热议问题