Currently, it’s not easy to verify one’s password before some danger operations, for example, dealing with security configurations and enter admin panels.
Suggestions:
- An API to verify the user’s password:
- Available on client, like
Accounts.verifyPassword(password)
. - When fired, verify user password with server and get a token from server and store on client, which is valid in 15min or so. This token will be used in checking the verify status in next steps.
- Available on client, like
- Have a API available in methods to ask for verifying, like
Accounts.requiresPasswordVerify()
:- When fired, This throws an special error if no valid token found on client, or do nothing means password verified.
- Developers can make the client call
Accounts.verifyPassword(password)
and rerun the method when the special error occurs.