在 Meteor 中验证用户密码 [英] Verify user password in Meteor

问题描述

用户可以在我的应用中执行一些不可逆的操作.为了增加安全级别，我想验证执行此类操作的人实际上是登录用户.我怎样才能实现它?

There are some irreversible actions that user can do in my app. To add a level of security, I'd like to verify that the person performing such an action is actually the logged in user. How can I achieve it?

• 对于有密码的用户，我想要一个提示，要求再次输入用户密码.我以后如何验证此密码而不通过网络发送?

• For users with passwords, I'd like a prompt that would ask for entering user password again. How can I later verify this password, without sending it over the wire?

对于通过外部服务登录的用户，是否可以执行类似的操作?如果是，如何实现?

Is a similar action possible for users logged via external service? If yes, how to achieve it?

推荐答案

我可以帮助解决第一个问题.在撰写本文时，meteor 没有 checkPassword 方法，但您可以这样做:

I can help with the first question. As of this writing, meteor doesn't have a checkPassword method, but here's how you can do it:

在客户端上，我假设您有一个表单，其中包含一个名为 password 的输入和一个名为 check-password 的按钮.事件代码可能如下所示:

On the client, I'm going to assume you have a form with an input called password and a button called check-password. The event code could look something like this:

Template.userAccount.events({
  'click #check-password': function() {
    var digest = Package.sha.SHA256($('#password').val());
    Meteor.call('checkPassword', digest, function(err, result) {
      if (result) {
        console.log('the passwords match!');
      }
    });
  }
});

然后在服务器上，我们可以像这样实现checkPassword方法:

Then on the server, we can implement the checkPassword method like so:

Meteor.methods({
  checkPassword: function(digest) {
    check(digest, String);

    if (this.userId) {
      var user = Meteor.user();
      var password = {digest: digest, algorithm: 'sha-256'};
      var result = Accounts._checkPassword(user, password);
      return result.error == null;
    } else {
      return false;
    }
  }
});

有关详细信息，请参阅我的博文.我会尽最大努力使其保持最新状态.

For more details, please see my blog post. I will do my best to keep it up to date.

这篇关于在 Meteor 中验证用户密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！