what is the use of hashedToken inside meteor.user

About

Asked 24/2, 2015 at 12:44 Answered 24/2, 2015 at 13:46

Solved meteor reactive-programming meteorite meteor-accounts isomorphic-javascript

Hi I am a newbie to Meteor and I would like to know what is the use of hashedToken generated inside the Meteor.user object.

In Meteor documentation it is explained that the services object,

containing data used by particular login services. For example, its reset field contains tokens used by forgot password links, and its resume field contains tokens used to keep you logged in between sessions.

When I check the localstorage, Meteor.loginToken seems different from the hashedToken.

so my question is, 1.what is the difference between Meteor.loginToken generated in the local storage and hashedToken generated inside the service object? 2.Also why do resume.loginTokens inside service object is an array?

Any help is appreciated...

Fogarty answered 24/2, 2015 at 12:44 Comment(0)

So a loginToken is a string of characters that can be left on the computer similar to a cookie token. You don't want to leave the actual username and password on a computer so the token is used instead.

The token is then used to authenticate to the server and log-in in place of a username/password.

There are a multiple of them in the array because you can be logged in on many devices at the same time. Each would have their own token.

The reason the tokens are hashed is an extra measure of security on the database. The tokens on the client are sha256 hashed and matched up to the one on the already hashed database ones to try and log in the user automatically.

The reason they are hashed is so no one can use them as loginToken localStorage form to login as a certain user by copying it from the database and pasting it as a localstorage logintoken. Its similar to a plaintext password being able to be used to log in a user.

Quincey answered 24/2, 2015 at 13:46 Comment(7)

You mentioned that token are 'multiple of them in the array because you may have many browsers or multiple sessions. Each would have their own token' . So if there are many tokens created, then which token will be used for authentication – Fogarty 24/2, 2015 at 17:7

@gopinathshiva Every time you log in (by typing your credentials in) a new token is created. If you have a browser not logged in or a separate computer where you log in new login tokens will be created for each computer you're logged in as. Any token listed is valid to log in and rightfully so since you can remained logged in on more than one computer at the same time. – Quincey 24/2, 2015 at 17:32

@gopinathshiva What is your intention with the loginTokens, perhaps I can provide a specific answer to what you want to use them for? – Quincey 24/2, 2015 at 17:37

I would like to know how meteor is managing the array of tokens. If there are many tokens in the array, how does meteor know, to use which token for the respective login. Example. If I logged in using lap, phone, tab then 3 login tokens are created, when I again open the lap or phone or tab, then how does meteor know which token to use for the respective device – Fogarty 25/2, 2015 at 6:14

Also I would like to know when the generated login tokens are removed from the array. If they are automatically removed after expiry, then I would like to know how to remove manually? – Fogarty 25/2, 2015 at 6:20

@gopinathshiva They are removed if they are expired using a cron job Meteor runs. To remove them manually you can use this method docs.meteor.com/#/full/meteor_logoutotherclients, then log yourself out if you want to clear all of them. If you have more questions that are unrelated to the original please open others this way it helps other users who may not find much help in the comments. – Quincey 25/2, 2015 at 6:40

Let us continue this discussion in chat. – Fogarty 25/2, 2015 at 6:44

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags