0

Many websites ask for the password again when the user tries to change an important setting (even if they are already logged in).

How can I achieve that with Meteor?

aBe
  • 422
  • 3
  • 9
  • You are totally right. It's a duplicate. Unfortunately I did not search for the right terms. – aBe Jun 16 '15 at 17:22

1 Answers1

1

Accounts now provides (been a while now) a convenient Accounts._checkPassword method. It only works only on server-side, but David Weldon wrote a nice tutorial just for what you are asking:

meteor: check a user's password

For convenience and archiving purposes, here are the code samples. I removed the encryption part for less complexity. (You should use SSL rather than rely on client-side encryption anyway, but that's another story)

On the client side, we catch the password input event and call a custom server method:

Template.userAccount.events({
  'click #check-password': function() {
    var password = $('#password').val();
    Meteor.call('checkPassword', password, function(err, result) {
      if (result) {
        console.log('the passwords match!');
      }
    });
  }
});

Then on the server side, here is the method defined for calling _checkPassword and answering to our client:

Meteor.methods({
  checkPassword: function(password) {
    check(password, String);
    if (this.userId) {
      var user = Meteor.user();
      var result = Accounts._checkPassword(user, password);
      return result.error == null;
    } else {
      return false;
    }
  }
});
Community
  • 1
  • 1
SylvainB
  • 4,765
  • 2
  • 26
  • 39
  • The discussion you linked about SSL and the issues with client side encryption seems like a big deal to me. I'm not very educated in security matters, but can you confirm me that it can be relevant to use a https proxy + the native client side hash to solve this, even if it is not bullet proof? – Billybobbonnet Jun 16 '15 at 17:21
  • How did you find Accounts._checkPassword? I did not find it on the documentation. – aBe Jun 16 '15 at 17:24
  • I am afraid it is because it is not documented. This is from the 0.8.2 release. Have a look here for more info: https://dweldon.silvrback.com/check-password – Billybobbonnet Jun 16 '15 at 17:33
  • @Billybobbonnet Short answer: yes, it does add a layer of safety. But hashes are known to be easily reversible through querying password hash databases (called rainbow tables), so it merely adds very little complexity for the hacker, and overall, gives you an illusion of security, which is the worst that can happen to you as an application developper. – SylvainB Jun 16 '15 at 17:46
  • That is why I personally gave up on encrypting on the client side. To me, it's a bit like adding wooden planks behind a vault door. It's completely pointless to an extent, and if users only see the planks (such as in David's example) they might think that it is sufficient and they don't need SSL. (usually because they haven't even heard of it) – SylvainB Jun 16 '15 at 17:50