Handling users outside of Meteor


#1

Hello,
I am a rookie develloper and I am developping an application on ionic using meteor as a client/server architecture.
I also wrote a php backend handling user data’s and users informations. I can access this php backend using user/password, and I’ll retrieve a Token that will allow me to access users info.

My question is more about “is it the good way to do it” than “how to ahieve my goal”. Let me explain.

I have this php backend that contain all my user information, and is my user handling system. I have also meteor backend that handles all the request made from the ionic client. But I need to authenticate a user from ionic into meteor ONLY if it can authenticate from the PHP backend. And also, since I want that meteor and my Php to be synchronized, I want to use the meteor CleintID as a salt into the generation of the token server side (this way token is invalidated if the cleintID change). And last but not least, the client must not see the token.

A lot of restricitons I know.

So what I have done so far is that, I created a method, which send the credentials in plain text to the server, the server checks if it can access the API using them, create the user inside the Meteor backend (if it does not exist), and send the credentials along with the clientId to the PHP backend to retrive the token.

After that, it notifies the client that it is done, and the client will try to lohin right after as typically.

My concern are multiple :
- does sending plaintext password, even with ssl, is a security problem or it is okay ?
- This flow seem complex and not “elegant”, do you see a better way to achieve my goal ?
- Do you see a simpler way to achieve this ?

I am totally knew to Meteor, and I’ll really appreciate your help, I am on this since since almost 10 days now since I am learning meteor and Typescript at the same time.

Thank you in advance everyone for your time and your advices.
PS : Sorry if I made mistakes, english is not my mother tongue.


#2

in theory you could use auth0.com (accounts as a service). It could validate the user against your custom database