Can we build password-less authentication into Accounts

cstrat · May 13, 2021, 11:46pm

I haven’t been across the latest developments in Meteor but have been using it quietly in the background.

Just wondering if there has been any discussion into extending the Accounts package to include password-less authentication?
I’ve seen a few 3rd party packages, but this seems like more of a core capability that Accounts should have.

It is almost there with the email verification already doing the heavy lifting: generating a token, sending the email, login the user in on clicking the link, I am sure the token must expire too (haven’t looked into it).
I imagine to build this in would be relatively simple. Probably use a different token type in the user document to not confuse email validation with login. Needs a new email template and hook for the client to login. Some documentation to cover its use on the docs site.

Here are two implementations which I am sure are great and work, but are each more than half a decade old and maybe unsupported.

GitHub - poetic/accounts-passwordless: Passwordless auth for meteor apps - this one uses SMS which is neat

elmamc · May 15, 2021, 6:56am

Hi! I’m finding something like this.
The user login, if it is the “first time”, he receive an email with a link.
Clickind the link authorize login for sometimes.
After this or a logout, the user have to login again.

This without inserting a token or something

cstrat · May 16, 2021, 12:58am

Yeah that is what I want to offer too.

On first registration this is what happens anyway because the user needs to validate/verify their email address. On clicking that link they are logged in. Just need a way to offer this as a login method.

minhna · May 17, 2021, 1:50am

Meteor allows you to create a custom login method:

Meteor.startup(function() {
Accounts.registerLoginHandler('your-method-name', (options) => {
    // console.log('custom login');
    const { someField, otherField } = options;
    if (!someField || !otherField) {
      return undefined; // don't handle
    }
    
    // run some code to validate login data here
    
    const serviceName = 'your-custom-service'; // works like password, this data will be stored in users.services field
    const serviceData = {
       id: 'someUniqueId', // must have this field.
       somedata: 'someValue',
       // other data here
    };
    const serviceOptions = {
       // additional option
    };
    const result = Accounts.updateOrCreateUserFromExternalService(
      serviceName,
      serviceData,
      serviceOptions,
    );
    if (!result || !result.userId) {
      throw new Meteor.Error('something wrong', 'Something does not go right');
    }

On the client side

// call this to login user
Accounts.callLoginMethod({
      // there data must match your back-end code above
      methodArguments: [
        {
          someField: 'some data',
          otherField: 'some other data', 
        },
      ],
      
      userCallback: (error) => {
        if (error) {
          // login failed
          showError(error.message);
        } else {
          // login successfully
          // do something here
        }
      },
    });

cstrat · May 17, 2021, 2:50am

Hey that is pretty neat - where can I find more documentation on that? It isn’t on the docs.meteor.com.

Although I was hoping that this were something that could be built in as part of the standard Accounts package.

minhna · May 17, 2021, 4:46am

It’s funny that I don’t remember how I found that. But it’s there in the Accounts package. Sometime you need to dig into the code and it’s open source. WOW.

storyteller · July 5, 2021, 1:42pm

Just leaving this here: Passwordless sign-in · Discussion #11515 · meteor/meteor · GitHub

cstrat · July 13, 2021, 5:33am

Thanks for raising the topic on GitHub, I’ve added a comment there.

msavin · October 27, 2021, 6:57pm

https://atmospherejs.com/meteor/accounts-passwordless boom - just launched as part of Meteor 2.5