Skip to content Skip to sidebar Skip to footer
Home / Javascript / Meteor

Meteor - How To Use Use Server Side Validation On Password

Post a Comment
I'm performing server-side validation in the 'Accounts.onCreateUser' function so that I can pass the options object as well. I wasn't able to figure out how to do this with the val

Solution 1:

I've figured out the best manner to perform this. Hope this will help others.

I'm using a method on server side to validate and returning error if there is one. Then proceeding with the Account Creation.

Meteor.call('Validate_Registration', email, password, cpassword, firstname, lastname, terms, function(error) {
            if (error) {
                error = error.reason;
                $('#Error-Block').fadeIn().children('ul').html(error);
                console.log(error);
            } else {
                Accounts.createUser({
                    username: email,
                    email: email,
                    password: password,
                    profile: {
                        firstname: firstname,
                        lastname: lastname
                    }
                }, function(error) {
                    if (error) {
                        error = error.reason;
                        $('#Error-Block').fadeIn().children('ul').html(error);
                    } else {
                        var uid = Accounts.connection.userId();
                        Meteor.call('Verify_Email', uid, email);
                        Router.go('/email-instructions');
                    }
                });
            }
        });

The only thing I'm unsure of at this point is if it's correct to use:

var uid = Accounts.connection.userId();

This seems to be local to the current user only, and is stored in local storage to the user.


Solution 2:

Accounts-password uses SRP, which is a bit complicated so I won't describe it fully here. The actual check of the hashed tokens happens around here Basically, the password does not arrive at the server as a plain text string therefore you will not be able to enforce password policy on the server, while using SRP.

Also notably around here there is a DDP only "plaintext" login option for those who (understandably) don't want to implement SRP on their own. As advertised, it should only be used if the user is connected w/ SSL. I would probably start there.

In the meantime, you can at least do some client side enforcing until you can roll your server-side login handler.

You may also want to check out this meteorhacks article for a custom login handler tutorial.


Solution 3:

According to the documentation, the password "is not sent in plain text over the wire", so the password string you're looking at on the server side is not the same as what the user typed in.

EDIT: At least, that's what I think.

EDIT2: Found a comment in another question that confirms it.


Post a Comment for "Meteor - How To Use Use Server Side Validation On Password"