Meteor RESTful Authentication. Is it possible?

Question

I have searched around but cant find an a satisfactory answer to this question.

I have a meteor website where users login and create content. I also want to create a pho

Answer 1

I published a package for writing REST APIs in Meteor 0.9.0+ that supports authentication. It is meant to replace RestStop2 (the accepted answer) now that it is deprecated, and has a similar API:

https://github.com/krose72205/meteor-restivus

It was inspired by RestStop2 and built with Iron Router's server-side routing.

UPDATE: I just wanted to include a code example for anyone that finds this. This is the Restivus Quick Start example from the GitHub README:

Items = new Mongo.Collection 'items'

if Meteor.isServer

  # API must be configured and built after startup!
  Meteor.startup ->

    # Global API configuration
    Restivus.configure
      useAuth: true
      prettyJson: true

    # Generates: GET, POST, DELETE on /api/items and GET, PUT, DELETE on
    # /api/items/:id for Items collection
    Restivus.addCollection Items

    # Generates: GET, POST on /api/users and GET, DELETE /api/users/:id for
    # Meteor.users collection
    Restivus.addCollection Meteor.users,
      excludedEndpoints: ['deleteAll', 'put']
      routeOptions:
        authRequired: true
      endpoints:
        post:
          authRequired: false
        delete:
          roleRequired: 'admin'

    # Maps to: /api/posts/:id
    Restivus.addRoute 'posts/:id', authRequired: true,
      get: ->
        post = Posts.findOne @urlParams.id
        if post
          status: 'success', data: post
        else
          statusCode: 404
          body: status: 'fail', message: 'Post not found'
      post:
        roleRequired: ['author', 'admin']
        action: ->
          post = Posts.findOne @urlParams.id
          if post
            status: "success", data: post
          else
            statusCode: 400
            body: status: "fail", message: "Unable to add post"
      delete:
        roleRequired: 'admin'
        action: ->
          if Posts.remove @urlParams.id
            status: "success", data: message: "Item removed"
          else
            statusCode: 404
            body: status: "fail", message: "Item not found"

Answer 2

A few days ago I started on an app with similar requirements regarding authentication. I found that Differential's RESTstop2 recently, in version 0.6.0, upgraded their authentication support to support the newly added Bcrypt encryption in Meteor.

You simply send username and password either as URL params or body like this:

curl --data "password=testpassword&user=test" http://localhost:3000/api/login/

and the server will return the following (if credentials are correct):

{ success: true, loginToken: "f2KpRW7KeN9aPmjSZ", userId: fbdpsNf4oHiX79vMJ }

On each request you make to the server, include the loginToken and userId as headers.

You should check it out:

Docs: http://github.differential.io/reststop2/

Github: https://github.com/Differential/reststop2

Answer 3

Another option (besides RESTstop2 mentioned in other answer), you can use stand-alone api-password package from Atmosphere, which does exactly what you need: authenticate REST calls on the server side. It supports Meteor 0.8.2 (with bcrypt) as well.

Example for the server side

  try {
    if (ApiPassword.isPasswordValid(username, password)) {
      console.log('password is valid for this user');
    } else {
      console.log('password is not valid');
    }

  } catch (exc) {
      console.log(exc.message);
      // possible causes: 'User is not found', 'User has no password set'
  }