通过 DDP(和 SRP?)使用 Meteor 进行身份验证 [英] Authenticating with Meteor via DDP (and SRP?)

问题描述

我似乎找不到任何关于如何使用 Meteor 的 DDP 对用户进行身份验证的好信息.

这可能吗?如果是这样，最好的方法是什么?如何使用 SRP 远程登录 Meteor?

我目前正在使用直接节点(最终将使用 Express)，以及这个节点 ddp 客户端.

解决方案

要通过 DDP 登录，只需发送一个方法调用.您可以根据登录方式稍微更改它.

我将使用 ddp-tools 来尝试解释如何登录，因为它将与纯粹的 ddp 进行通信.以下示例中的登录详细信息为

用户名是user_1，密码是qwerty(是的，我知道它很糟糕)，电子邮件地址是email@email.com，登录令牌是MxNY9BFPKra2uNWG7

格式为

ddp call <方法调用名称>[<param1>...]

和在nodejs中做ddpclient.call(,,callback)是一样的

使用电子邮件和密码登录

ddp call 'login' '{'password':'qwerty','user':{'email':'email@email.com'}}'

使用用户名和密码登录

ddp call 'login' '{'password':'qwerty','user':{'username':'user_1'}}'

使用令牌登录(登录时meteor会保存什么:

ddp call 'login' '{'resume':'MxNY9BFPKra2uNWG7''}'

--

难点:SRP

如果您不想像上述那样以纯文本形式发送密码，那么您没有使用 SSL 安全/https 连接，您可以使用 SRP.

使用 SRP 登录有点麻烦，因为它有几个阶段

1.开始一个 passwordExchange 来建立密钥来传达散列2. 使用 1) 的回复计算出的哈希值发送登录调用

第 1 步:

-开始 SRP 密码交换:

ddp call 'beginPasswordExchange' '{"A":"A","user":{"email":"email@email.com"}}

响应将类似于

{"identity":"identity","salt":"salt","B":B"}

然后你就可以用这个登录了:

ddp call 'login' '{srp":{M":srp hash"}}'

同样，您可以使用用户名代替上面的电子邮件.

所以要获得 M 和 A 的值，您需要一个 SRP 库.由于meteor 中有一个SRP 库，因此很容易解释如何从每个库中获取密码，这很棘手.如果你想用另一种语言写一个，你可以使用维基百科的解释来构建方法>

所以我们开始一个 srp 交换(来自meteors SRP 包中的 SRP 库)，因为你使用的是 node.js，你可以在你的项目中包含所有文件(package.js 除外)

var srp = new SRP.Client(password);

这会给你A，然后你会得到你可以回复的数据:

var response = srp.respondToChallenge(result);

这将最终为您提供 SHA 哈希值，以使用M"进行回复，同时包含B"和盐.

终于

不要忘记在登录时检查最终响应以查看结果是否与应有的匹配

srp.verifyConfirmation({HAMK: result.HAMK}

同样，这些都来自 Meteor 中的 SRP 库，但它们都是 SRP 规范的一部分，如 维基百科.Meteor 的 SRP 使用 SHA256 作为哈希函数.

示例:

• 节点 JS - https://github.com/emgee3/srp-test莉>

I can't seem to find any good information about how to authenticate a user using Meteor's DDP.

Is this possible? If so, what's the best way to do it? How can you log in remotely to Meteor using SRP?

I'm currently using straight Node (eventually will use Express), along with this node ddp client.

解决方案

To log in via DDP, simply send a method call. You alter it slightly depending on how you want to log in.

I'll use ddp-tools to try and explain how to log in, since it would be communicating with purely ddp. The login details in the below examples are

The username is user_1, password is qwerty (yeah I know its bad), and email address is email@email.com, the login token is MxNY9BFPKra2uNWG7

The format is

ddp call <method call name> [<param1>..]

Which is the same as doing ddpclient.call(<method call name>,<param1>,callback) in nodejs

To log in with email and password

ddp call 'login' '{"password":"qwerty","user":{"email":"email@email.com"}}'

To log in with a username and password

ddp call 'login' '{"password":"qwerty","user":{"username":"user_1"}}'

To log in with a token (what meteor saves when you log in:

ddp call 'login' '{"resume":"MxNY9BFPKra2uNWG7"}'

--

The difficult one: SRP

If you don't want to send the password in plain-text like the above way, you're not using a SSL secured/https connection you can use SRP.

To login with SRP its a little bit tricker as it has a couple of stages

1. Begin a passwordExchange to establish the key to communicate the hash
2. Send a login call with the hash calculated using the reply from 1)

Step 1:

-Begin a SRP password exchange:

ddp call 'beginPasswordExchange' '{"A":"A","user":{"email":"email@email.com"}}

The response will be something like

{"identity":"identity","salt":"salt","B":B"}

Then you can use this to login:

ddp call 'login' '{"srp":{"M":"srp hash"}}'

Similarly you can use the username instead of the email above.

So to get the values of M, and A you need an SRP library. Since there's an SRP library in meteor its easy to explain how to get the password from each, its quite tricky. If you want to write one in another language you could use wikipedia's explanation to build the methods out

So we begin an srp exchange (from the SRP library in meteors SRP package), since you're using node.js you could include all the files in your project (except package.js)

var srp = new SRP.Client(password);

This will give you A, then you will get back data that you can respond with:

var response = srp.respondToChallenge(result);

This will finally give you the SHA hash to reply with using 'M', taking in 'B' and the salt.

Finally

Don't forget to check the final response when you do log in to see if the result matches what it should be

srp.verifyConfirmation({HAMK: result.HAMK}

Again these are all from the SRP library in Meteor, but they're all part of the SRP spec as on wikipedia. Meteor's SRP uses SHA256 as the hashing function.

Examples:

• Node JS - https://github.com/emgee3/srp-test

这篇关于通过 DDP(和 SRP?)使用 Meteor 进行身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！