1. 技术文章
  2. Meteor: Block access to application if user's email is not verified

Meteor: Block access to application if user's email is not verified

醉酒当歌 提交于 2019-12-24 03:45:19

问题


Is there a way to restrict accessibility to the app and redirect the user to a path that renders a template stating "please check your email and verify your email."

The user receives a verification link upon account creation, when they click it, emails.verified is then set to true - great.

Between the time of account creation and verifying their email, I would like to restrict access to the application. I dont want a user to create profile on my app and post online as they maybe a 'malicious' user.

SOLUTION ONE ?: upon account creation, can I log the user out immediately and direct them to a path with the template message "please check your email and verify your email."

Then, on Accounts.onLogin, check if a users email is verified or not.

server.js

 if ( user.user.emails.verified === false ) {
     //render please verify email template
      }
      else  {
       //continue as usual
       }



Accounts.config({
 sendVerificationEmail: true,
 forbidClientAccountCreation: false,
 loginExpirationInDays: null
});

Is there a simpler and more logical method that I'm missing?


回答1:


If you are using Iron Router you can add a before hook:

Router.onBeforeAction(function(){
  if (Meteor.loggingIn()){
    this.render('loading');
  } else if (Meteor.user() && !Meteor.user().emails[0].verified){
    this.render('verification');
  } else {
    this.next();
  }
});



回答2:


If you are using Iron Router you can add logic to a route so that when you login you are redirected based on whether or not you have confirmed. This would also solve the problem of "logging out immediately" after a user registered. That doesn't sound like the best user experience. Routing with a bit of logic could solve that issue.




回答3:


You might have solved the problem, but I think it's worth it to share few links that offer better approaches in solving this. They're router-agnostic and take advantage of an already existing method in Accounts package.

[#1] On blocking the data published by server by checking against the user's email's verification status to ensure there's no data leakage: https://stackoverflow.com/a/15384012/3112047

[#2] On using Accounts.validateLoginAttempt to block login attempts if the Boolean parameter taken is set to false: https://stackoverflow.com/a/24940581/3112047



来源:https://stackoverflow.com/questions/30081524/meteor-block-access-to-application-if-users-email-is-not-verified

标签
meteor
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!