Verify user password in Meteor

Asked 13/8, 2013 at 16:33 Answered 17/1, 2022 at 9:13

Solved javascript passwords meteor user-accounts meteorite

There are some irreversible actions that user can do in my app. To add a level of security, I'd like to verify that the person performing such an action is actually the logged in user. How can I achieve it?

For users with passwords, I'd like a prompt that would ask for entering user password again. How can I later verify this password, without sending it over the wire?
Is a similar action possible for users logged via external service? If yes, how to achieve it?

Nonalcoholic answered 13/8, 2013 at 16:33 Comment(2)

You need a security system. Start here: https://mcmap.net/q/234149/-what-security-mechanisms-does-meteor-have-closed – Therron 13/8, 2013 at 16:34

That's completely unrelated. I've got a working app with accounts-password installed. I don't want to create a whole security system, I just want to verify the already logged in user. – Nonalcoholic 13/8, 2013 at 17:43

I can help with the first question. As of this writing, meteor doesn't have a checkPassword method, but here's how you can do it:

On the client, I'm going to assume you have a form with an input called password and a button called check-password. The event code could look something like this:

Template.userAccount.events({
  'click #check-password': function() {
    var digest = Package.sha.SHA256($('#password').val());
    Meteor.call('checkPassword', digest, function(err, result) {
      if (result) {
        console.log('the passwords match!');
      }
    });
  }
});

Then on the server, we can implement the checkPassword method like so:

Meteor.methods({
  checkPassword: function(digest) {
    check(digest, String);

    if (this.userId) {
      var user = Meteor.user();
      var password = {digest: digest, algorithm: 'sha-256'};
      var result = Accounts._checkPassword(user, password);
      return result.error == null;
    } else {
      return false;
    }
  }
});

For more details, please see my blog post. I will do my best to keep it up to date.

Veal answered 13/8, 2013 at 21:43 Comment(6)

I want to use this, but as it relies on undocumented internals, it makes me a little uneasy. Are you using this in a production app? – Citation 27/8, 2013 at 14:26

I am using it a production app, and you are right to feel uneasy about this - I certainly do. – Veal 27/8, 2013 at 14:47

I'm trying it out now, and I get a "TypeError: Cannot read property 'Client' of undefined". It looks like Meteor._srp is undefined in the latest Meteor :( – Citation 27/8, 2013 at 15:42

Thank you for keeping this answer updated, @David. I hope eventually we can reach a way to do this that is version-independent. – Citation 10/3, 2014 at 22:31

@DavidWeldon it's not working (version 1.4). always got Incorrect password despite correct current password – Hass 18/10, 2016 at 14:47

@AbdulHameed I'd recommend double checking your implementation - this still works for me in meteor 1.4.2. – Veal 27/10, 2016 at 21:26

I haven't done this before, but I think you will need something like this on your server


    Accounts.registerLoginHandler(function(loginRequest) {
        console.log(loginRequest)
        var userId    = null;
        var username  = loginRequest.username;
        // I'M NOT SURE HOW METEOR PASSWORD IS HASHED...
        // SO YOU NEED TO DO A BIT MORE RESEARCH ON THAT SIDE
        // BUT LET'S SAY YOU HAVE IT NOW
        var password  = loginRequest.password;

        var user = Meteor.users.findOne({
            $and: [
                {username: username},
                {password: password} 
            ]
        });
        if(!user) {
            // ERROR
        } else {
            // VERIFIED
        }
    });

then you can call this function from the client side like this:


    // FETCH THE USERNAME AND PASSWORD SOMEHOW
    var loginRequest = {username: username, password: password};

    Accounts.callLoginMethod({
        methodArguments: [loginRequest]
    });

I have a project on github for different purpose, but you can get a sense of how it is structured: https://github.com/534N/apitest

Hope this helps,

Boonie answered 13/8, 2013 at 19:37 Comment(0)

I have found the best way to validate the users password is to use the Accounts.changePassword command and pass in the same password for old and new password. https://docs.meteor.com/api/passwords.html#Accounts-changePassword

Accounts.changePassword(this.password, this.password, (error) => {
  if(error) {
    //The password provided was incorrect
  }
})

If the password provided is wrong, you will get an error back and the users password will not be changed.

If the password is correct, the users password will be updated with the same password as is currently set.

Hinkel answered 17/1, 2022 at 9:13 Comment(0)

Recommended topics

Hot tags