Verify user password in Meteor

Question

There are some irreversible actions that user can do in my app. To add a level of security, I'd like to verify that the person performing such an action is actually the logged in user. How can I achieve it?

• For users with passwords, I'd like a prompt that would ask for entering user password again. How can I later verify this password, without sending it over the wire?

• Is a similar action possible for users logged via external service? If yes, how to achieve it?

Answer 1

I can help with the first question. As of this writing, meteor doesn't have a checkPassword method, but here's how you can do it:

On the client, I'm going to assume you have a form with an input called password and a button called check-password. The event code could look something like this:

Template.userAccount.events({
  'click #check-password': function() {
    var digest = Package.sha.SHA256($('#password').val());
    Meteor.call('checkPassword', digest, function(err, result) {
      if (result) {
        console.log('the passwords match!');
      }
    });
  }
});

Then on the server, we can implement the checkPassword method like so:

Meteor.methods({
  checkPassword: function(digest) {
    check(digest, String);

    if (this.userId) {
      var user = Meteor.user();
      var password = {digest: digest, algorithm: 'sha-256'};
      var result = Accounts._checkPassword(user, password);
      return result.error == null;
    } else {
      return false;
    }
  }
});

For more details, please see my blog post. I will do my best to keep it up to date.

Answer 2

I haven't done this before, but I think you will need something like this on your server

    Accounts.registerLoginHandler(function(loginRequest) {
        console.log(loginRequest)
        var userId    = null;
        var username  = loginRequest.username;
        // I'M NOT SURE HOW METEOR PASSWORD IS HASHED...
        // SO YOU NEED TO DO A BIT MORE RESEARCH ON THAT SIDE
        // BUT LET'S SAY YOU HAVE IT NOW
        var password  = loginRequest.password;

        var user = Meteor.users.findOne({
            $and: [
                {username: username},
                {password: password} 
            ]
        });
        if(!user) {
            // ERROR
        } else {
            // VERIFIED
        }
    });

then you can call this function from the client side like this:

    // FETCH THE USERNAME AND PASSWORD SOMEHOW
    var loginRequest = {username: username, password: password};

    Accounts.callLoginMethod({
        methodArguments: [loginRequest]
    });

I have a project on github for different purpose, but you can get a sense of how it is structured: https://github.com/534N/apitest

Hope this helps,