Accounts-password: forbid login for not verified users


I’m using 1.3 (but I guess this was the same before) and would like to
forbid login for users with not-verified e-mails.

I know how to do this on the client-side but this is not safe.

The login is done using Meteor.loginWithPassword (based on mantra
kickstarter) and I do not see how to make a server-side check in this context.

That must be explained somewhere but could not find it in docs, guide or forums.


PS: this is not so clear if issues about accounts should go to meteor/meteor or meteor/accounts, please clarify (or maybe this is wip).
If the answer is meteor/accounts, this should be clear in the
Independent core packages section of the meteor/meteor issues

I misunderstood the workflow in that case (in fact I found no explanation).
My requirement is a workflow like:

  • a new user registers using his/her e-mail (or/and username) BUT no password
  • an enrollment e-mail is sent containing a link
  • the link opens a page that sets the password (the link does not work anymore after that)

There is no need in this context to verify the e-mail as the password can only be set if the e-mail was received anyway (the token is key!).

I managed to make it work by putting together the different functions from… I have no idea if this is the right way to do it.

Any resource giving more explanations about the different registration workflows (incl. password reset) is welcome.