Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Verify user password in Meteor

There are some irreversible actions that user can do in my app. To add a level of security, I'd like to verify that the person performing such an action is actually the logged in user. How can I achieve it?

  • For users with passwords, I'd like a prompt that would ask for entering user password again. How can I later verify this password, without sending it over the wire?

  • Is a similar action possible for users logged via external service? If yes, how to achieve it?

like image 391
Hubert OG Avatar asked Aug 13 '13 16:08

Hubert OG


1 Answers

I can help with the first question. As of this writing, meteor doesn't have a checkPassword method, but here's how you can do it:

On the client, I'm going to assume you have a form with an input called password and a button called check-password. The event code could look something like this:

Template.userAccount.events({
  'click #check-password': function() {
    var digest = Package.sha.SHA256($('#password').val());
    Meteor.call('checkPassword', digest, function(err, result) {
      if (result) {
        console.log('the passwords match!');
      }
    });
  }
});

Then on the server, we can implement the checkPassword method like so:

Meteor.methods({
  checkPassword: function(digest) {
    check(digest, String);

    if (this.userId) {
      var user = Meteor.user();
      var password = {digest: digest, algorithm: 'sha-256'};
      var result = Accounts._checkPassword(user, password);
      return result.error == null;
    } else {
      return false;
    }
  }
});

For more details, please see my blog post. I will do my best to keep it up to date.

like image 181
David Weldon Avatar answered Sep 17 '22 20:09

David Weldon