Meteor.user() on iron-router server side

Question

How can check, on server side route, if user is logged?

I would add check on \'before\', but Metor.user() don\'t work here.

thanks in advance.

p.s. I

Answer 1

If what you're looking to do is to authenticate the Meteor.user making the request, I'm currently doing this within the context of IronRouter.route(). The request must be made with a valid user ID and auth token in the header. I call this function from within Router.route(), which then gives me access to this.user:

###
  Verify the request is being made by an actively logged in user
  @context: IronRouter.Router.route()
###
authenticate = ->
  # Get the auth info from header
  userId = this.request.headers['x-user-id']
  loginToken = this.request.headers['x-auth-token']

  # Get the user from the database
  if userId and loginToken
    user = Meteor.users.findOne {'_id': userId, 'services.resume.loginTokens.token': loginToken}

  # Return an error if the login token does not match any belonging to the user
  if not user
    respond.call this, {success: false, message: "You must be logged in to do this."}, 401

  # Attach the user to the context so they can be accessed at this.user within route
  this.user = user

  ###
    Respond to an HTTP request
    @context: IronRouter.Router.route()
  ###
  respond = (body, statusCode=200, headers={'Content-Type':'text/json'}) ->
    this.response.writeHead statusCode, headers
    this.response.write(JSON.stringify(body))
    this.response.end()

This code was heavily inspired by RestStop and RestStop2. It's part of a meteor package for writing REST APIs in Meteor 0.9.0+ (built on top of Iron Router). You can check out the complete source code here:

https://github.com/krose72205/meteor-restivus

Answer 2

I'm afraid that this is not possible. I guess that the problem comes from the fact that you're trying to connect to the server with two different protocols - both literally and in logically - so there is no obvious way to relate this two actions.

There is, however, a pretty simple solution that may suit your needs. You'll need to develop a simple system of privileges tokens, or secret keys, or whatever you call them. First, create a server method

var Secrets = new Meteor.Collection("secrets"); // only on server!!!

Meteor.methods({
  getSecretKey: function () {
    if (!this.userId)
      // check if the user has privileges
      throw Meteor.Error(403);
    return Secrets.insert({_id: Random.id(), user: this.userId});
  },
});

Then, you can now use it on the client to get the secretKey which attach to your AJAX request (or something), either within the HTTP header or in the URL itself. Fear not! They will all be encrypted if you're using HTTPS.

On the server side you can now retrieve the secretKey from the incoming request and check if it is present in the Secrets collection. You'll know then if the user is granted certain privileges or not. Also you may want to remove your secret keys from the collection after some time for safety reasons.