验证Meteor中的用户密码 [英] Verify user password in Meteor

问题描述

用户可以在我的应用中执行一些不可逆转的操作。为了增加安全级别，我想验证执行此类操作的人员实际上是登录用户。我怎样才能实现它？

There are some irreversible actions that user can do in my app. To add a level of security, I'd like to verify that the person performing such an action is actually the logged in user. How can I achieve it?

• 对于有密码的用户，我想要一个要求再次输入用户密码的提示。如何在不通过网络发送密码的情况下验证此密码？

• For users with passwords, I'd like a prompt that would ask for entering user password again. How can I later verify this password, without sending it over the wire?

通过外部服务登录的用户是否可以采取类似的操作？如果是的话，如何实现呢？

Is a similar action possible for users logged via external service? If yes, how to achieve it?

推荐答案

我可以帮助第一个问题。在撰写本文时，meteor没有 checkPassword 方法，但是你可以这样做：

I can help with the first question. As of this writing, meteor doesn't have a checkPassword method, but here's how you can do it:

在客户端上，我假设你有一个带有密码输入的表单和一个名为 check-password 。事件代码可能如下所示：

On the client, I'm going to assume you have a form with an input called password and a button called check-password. The event code could look something like this:

Template.userAccount.events({
  'click #check-password': function() {
    var digest = Package.sha.SHA256($('#password').val());
    Meteor.call('checkPassword', digest, function(err, result) {
      if (result) {
        console.log('the passwords match!');
      }
    });
  }
});

然后在服务器上，我们可以实现 checkPassword 这样的方法：

Then on the server, we can implement the checkPassword method like so:

Meteor.methods({
  checkPassword: function(digest) {
    check(digest, String);

    if (this.userId) {
      var user = Meteor.user();
      var password = {digest: digest, algorithm: 'sha-256'};
      var result = Accounts._checkPassword(user, password);
      return result.error == null;
    } else {
      return false;
    }
  }
});

详情请见博客文章。我会尽力保持最新状态。

For more details, please see my blog post. I will do my best to keep it up to date.

这篇关于验证Meteor中的用户密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！