0

I have a Chrome extension that communicates with my Meteor app through a REST API created with the Restivus package.

The user authenticates to the REST API and then uses authenticated tokens to make any further requests.

So far, everything works fine, as long as he stays within the extension. However, from the chrome extension, I'd like to redirect the user to his profile page on my main website. When that happens, he's no longer authenticated, and must re-sign-in to access the profile page.

I figure this is because the REST API session and the webpage session are two completely different sessions on the server (even though both the API and the webpage run from the same server). My question is, is there a way to maintain the user's logged-in state as he moves from the extension to the main website?

I figure there are a few options:

  1. I'm using the standard meteor accounts package. Is there a way to push whatever standard cookie / data that the accounts package uses, to the user's browser, so that when he goes to the website, he'll be considered logged in?
  2. Push a custom cookie to the user, which I then check for and log him in when he first comes to the website. However, I don't know how to push a cookie through a REST API or generate one in the Chrome extension
  3. Use DDP to communicate with the second session and transfer the login credentials.

I don't know if these are the best options (or even how to implement them if they are...). Has anyone figured out a way to do this already? Thanks!

Hashcut
  • 833
  • 1
  • 5
  • 19
  • You could probably have your extension inject some code to the login page with the current login token, then have your login page look for the token and use it to login – coagmano Feb 22 '18 at 02:06

1 Answers1

0

I would suggest you to develop your own flow of authentification using a token as an URL parameter. You should achieve a similar experience that slack provides with magic authentification links

The idea is to generate a token and add it to the Meteor.users collection for the user logged in your chrome extension.

Then, redirect your user to an url with the token as a parameter. The app checks which user is linked with this token and log him in.

You can get inspiration on what is done in the account package to handle enrollment and reset links, or in the passwordless package

Victor
  • 767
  • 4
  • 17