javascriptpasswordsmeteoruser-accountsmeteorite

Verify user password in Meteor


There are some irreversible actions that user can do in my app. To add a level of security, I'd like to verify that the person performing such an action is actually the logged in user. How can I achieve it?


Solution

  • I can help with the first question. As of this writing, meteor doesn't have a checkPassword method, but here's how you can do it:

    On the client, I'm going to assume you have a form with an input called password and a button called check-password. The event code could look something like this:

    Template.userAccount.events({
      'click #check-password': function() {
        var digest = Package.sha.SHA256($('#password').val());
        Meteor.call('checkPassword', digest, function(err, result) {
          if (result) {
            console.log('the passwords match!');
          }
        });
      }
    });
    

    Then on the server, we can implement the checkPassword method like so:

    Meteor.methods({
      checkPassword: function(digest) {
        check(digest, String);
    
        if (this.userId) {
          var user = Meteor.user();
          var password = {digest: digest, algorithm: 'sha-256'};
          var result = Accounts._checkPassword(user, password);
          return result.error == null;
        } else {
          return false;
        }
      }
    });
    

    For more details, please see my blog post. I will do my best to keep it up to date.