验证Meteor中的用户密码 [英] Verify user password in Meteor
问题描述
用户可以在我的应用中执行一些不可逆转的操作。为了增加安全级别,我想验证执行此类操作的人员实际上是登录用户。我怎样才能实现它?
There are some irreversible actions that user can do in my app. To add a level of security, I'd like to verify that the person performing such an action is actually the logged in user. How can I achieve it?
-
对于有密码的用户,我想要一个要求再次输入用户密码的提示。如何在不通过网络发送密码的情况下验证此密码?
For users with passwords, I'd like a prompt that would ask for entering user password again. How can I later verify this password, without sending it over the wire?
通过外部服务登录的用户是否可以采取类似的操作?如果是的话,如何实现呢?
Is a similar action possible for users logged via external service? If yes, how to achieve it?
推荐答案
我可以帮助第一个问题。在撰写本文时,meteor没有 checkPassword
方法,但是你可以这样做:
I can help with the first question. As of this writing, meteor doesn't have a checkPassword
method, but here's how you can do it:
在客户端上,我假设你有一个带有密码
输入的表单和一个名为 check-password $ c $的按钮C>。事件代码可能如下所示:
On the client, I'm going to assume you have a form with an input called password
and a button called check-password
. The event code could look something like this:
Template.userAccount.events({
'click #check-password': function() {
var digest = Package.sha.SHA256($('#password').val());
Meteor.call('checkPassword', digest, function(err, result) {
if (result) {
console.log('the passwords match!');
}
});
}
});
然后在服务器上,我们可以实现 checkPassword
这样的方法:
Then on the server, we can implement the checkPassword
method like so:
Meteor.methods({
checkPassword: function(digest) {
check(digest, String);
if (this.userId) {
var user = Meteor.user();
var password = {digest: digest, algorithm: 'sha-256'};
var result = Accounts._checkPassword(user, password);
return result.error == null;
} else {
return false;
}
}
});
详情请见博客文章。我会尽力保持最新状态。
For more details, please see my blog post. I will do my best to keep it up to date.
这篇关于验证Meteor中的用户密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!