I am building an admin area where an admin can create other users giving a username and password.
1)On the client, Accounts.createUser logs the user in automatically so I cannot use it
2)So far I added a method on the server that creates the user for me and it works. However if I do it this way, how do I handle the client sending the password to the server? By default if I am not mistaken, it will be in plain text, not hashed, so it should be unsafe, correct?
3)I have the same problem if, later on, I want the admin to change another user’s password. I cannot use changePassword on the client, because it is only for the loggedin user. I cannot use setPassword on the server, without before sending the password in clear text over the wire in a method.
In general I see that the Accounts API handle the password security and I like that, but it seems that all its client methods are assumed to be for the loggedin user, and to use the server methods that would fix my problem I still need a way to handle the password transfer safely.
What is the best way to do that?