Accounts._hashPassword gone? Never existed?

I want to hash a password, on the server, sent by Basic Auth, and tried using Accounts._hashPassword() but that gives me an error (“not a function”)

Now, I’m fairly certain that I’ve used it before, but only fairly… Have I been dreaming?

How can I hash a clear text pw and use it to login a user?

Seems perfectly okay. Could it be that something is overriding Accounts?

Yes… but only on the client side?

Solved it with this:

let hashedPw = bcrypt.hashSync(pw, 10)

oops, spoke too soon. That does not give the correct hash…

You can login a user without using password. You can work with token instead of password.

    // create resume token
    const token = Accounts._generateStampedLoginToken()
    // hashed token
    const hashedToken = Accounts._hashStampedToken(token)
    // insert hashed token to
    Accounts._insertHashedLoginToken(userId, hashedToken)

Now you can use the token to login. On the client side, you can call loginWithToken.

Yes, I do use that but I want to enable Basic Auth as well for some purposes and to do that on the server side I need to hash the password the same way as Meteor does.

Then you may want to check this file. I think you will need to copy this function to some where:

Extracting this code should be easy:

import { Accounts } from 'meteor/accounts-base'
import { SHA256 } from 'meteor/sha'

const getPasswordString = password => {
  if (typeof password === "string") {
    password = SHA256(password);
  } else { // 'password' is an object
    if (password.algorithm !== "sha-256") {
      throw new Error("Invalid password hash algorithm. " +
                      "Only 'sha-256' is allowed.");
    password = password.digest;
  return password;

const hashPassword = async password => {
  password = getPasswordString(password);
  return await bcryptHash(password, Accounts._bcryptRounds());

It’s however not very maintainable. Maybe a PR makes sense to make add Accounts._hashPassword = hashPassword?

1 Like

I agreed. Or just export hashPassword function.

1 Like

I think we’re ought to differentiate between the client hash and the server hash as Meteor hashes the password twice