Accounts._hashPassword gone? Never existed?

ralof · October 31, 2023, 10:39pm

I want to hash a password, on the server, sent by Basic Auth, and tried using Accounts._hashPassword() but that gives me an error (“not a function”)

Now, I’m fairly certain that I’ve used it before, but only fairly… Have I been dreaming?

How can I hash a clear text pw and use it to login a user?

harry97 · October 31, 2023, 10:46pm

github.com

meteor/meteor/blob/829d0eabb6357714f42699a88d9d751d0b6eb0bb/packages/accounts-password/password_client.js#L60


      
          * @param {String} password The user's password.
          * @param {Function} [callback] Optional callback.
          *   Called with no arguments on success, or with a single `Error` argument
          *   on failure.
          * @importFromPackage meteor
          */
          Meteor.loginWithPassword = (selector, password, callback) => {
           return internalLoginWithPassword({ selector, password, callback });
          };
          
          Accounts._hashPassword = password => ({
           digest: SHA256(password),
           algorithm: "sha-256"
          });
          
          
          /**
          * @summary Log the user in with a password and token.
          * @locus Client
          * @param {Object | String} selector
          *   Either a string interpreted as a username or an email; or an object with a

Seems perfectly okay. Could it be that something is overriding Accounts?

ralof · October 31, 2023, 10:51pm

Yes… but only on the client side?

ralof · October 31, 2023, 11:00pm

Solved it with this:

let hashedPw = bcrypt.hashSync(pw, 10)

ralof · October 31, 2023, 11:05pm

oops, spoke too soon. That does not give the correct hash…

minhna · November 1, 2023, 12:14am

You can login a user without using password. You can work with token instead of password.

    // create resume token
    const token = Accounts._generateStampedLoginToken()
    // hashed token
    const hashedToken = Accounts._hashStampedToken(token)
    // insert hashed token to user.services.resume
    Accounts._insertHashedLoginToken(userId, hashedToken)

Now you can use the token to login. On the client side, you can call loginWithToken.

ralof · November 1, 2023, 3:43am

Yes, I do use that but I want to enable Basic Auth as well for some purposes and to do that on the server side I need to hash the password the same way as Meteor does.

minhna · November 1, 2023, 3:50am

Then you may want to check this file. I think you will need to copy this function to some where: https://github.com/meteor/meteor/blob/master/packages/accounts-password/password_server.js#L48

jkuester · November 2, 2023, 7:53am

Extracting this code should be easy:

import { Accounts } from 'meteor/accounts-base'
import { SHA256 } from 'meteor/sha'

const getPasswordString = password => {
  if (typeof password === "string") {
    password = SHA256(password);
  } else { // 'password' is an object
    if (password.algorithm !== "sha-256") {
      throw new Error("Invalid password hash algorithm. " +
                      "Only 'sha-256' is allowed.");
    }
    password = password.digest;
  }
  return password;
};

const hashPassword = async password => {
  password = getPasswordString(password);
  return await bcryptHash(password, Accounts._bcryptRounds());
};

It’s however not very maintainable. Maybe a PR makes sense to make add Accounts._hashPassword = hashPassword?

minhna · November 2, 2023, 8:17am

I agreed. Or just export hashPassword function.

harry97 · November 3, 2023, 8:35am

I think we’re ought to differentiate between the client hash and the server hash as Meteor hashes the password twice