在 Meteor 中验证用户密码 [英] Verify user password in Meteor
问题描述
用户可以在我的应用中执行一些不可逆的操作.为了增加安全级别,我想验证执行此类操作的人实际上是登录用户.我怎样才能实现它?
There are some irreversible actions that user can do in my app. To add a level of security, I'd like to verify that the person performing such an action is actually the logged in user. How can I achieve it?
对于有密码的用户,我想要一个提示,要求再次输入用户密码.我以后如何验证此密码而不通过网络发送?
For users with passwords, I'd like a prompt that would ask for entering user password again. How can I later verify this password, without sending it over the wire?
对于通过外部服务登录的用户,是否可以执行类似的操作?如果是,如何实现?
Is a similar action possible for users logged via external service? If yes, how to achieve it?
推荐答案
我可以帮助解决第一个问题.在撰写本文时,meteor 没有 checkPassword
方法,但您可以这样做:
I can help with the first question. As of this writing, meteor doesn't have a checkPassword
method, but here's how you can do it:
在客户端上,我假设您有一个表单,其中包含一个名为 password
的输入和一个名为 check-password
的按钮.事件代码可能如下所示:
On the client, I'm going to assume you have a form with an input called password
and a button called check-password
. The event code could look something like this:
Template.userAccount.events({
'click #check-password': function() {
var digest = Package.sha.SHA256($('#password').val());
Meteor.call('checkPassword', digest, function(err, result) {
if (result) {
console.log('the passwords match!');
}
});
}
});
然后在服务器上,我们可以像这样实现checkPassword
方法:
Then on the server, we can implement the checkPassword
method like so:
Meteor.methods({
checkPassword: function(digest) {
check(digest, String);
if (this.userId) {
var user = Meteor.user();
var password = {digest: digest, algorithm: 'sha-256'};
var result = Accounts._checkPassword(user, password);
return result.error == null;
} else {
return false;
}
}
});
有关详细信息,请参阅我的博文.我会尽最大努力使其保持最新状态.
For more details, please see my blog post. I will do my best to keep it up to date.
这篇关于在 Meteor 中验证用户密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!