How do I add a callback before a password change?


#1

I have a simple password change popup based on Accounts.setPassword(userId, newPassword, [options])

However, I need to implement an IT policy

  • at least one uppercase and lowercase character
  • at least a non-alphanumeric character
  • different from past 2 passwords

And I need to force a password change every 30 days.

How do I implement hooks in the Account package to do all that without monkey-patching the Account package ?


#2

I added the checks on the client - which means they can be bypassed by calling Accounts.changePassword() via the console. I never found a simple way to add them on the server side.

For the password change every 30 days, I added an observable on the server side that tags the user with his next password expiration date after any change. Different functions can use that info and react accordingly (refuse to publish data, suspend account, etc).

Meteor.users.find({}, { fields : { 'services.password.bcrypt' : 1 }}).observe({
  changed : user => {
    const id = user._id
    const extend = 30
    Meteor.users.update(id, { $set : {
      'profile.expires' : moment().add(extend, 'days').format('YYYY-MM-DD')
    }})
  }
})

[profile shouldn’t be used to store info as it can be changed by the user]