How should I migrate user login form Meteor to non-Meteor project?


#1

I am migrating user documents in Mongo from my Meteor project to non-Meteor project (express backend + mongodb).

I would like to know how to migrate the user data so that the users can continue to login using the same password in my non-Meteor app. I don’t fully understand what goes on under the hood in Meteor’s user-accounts package for login/signup.

Currently, the users in Mongo have this shape in my Meteor app:

{
	"_id" : "some id",
	"createdAt" : date,
	"services" : {
		"password" : {
			"bcrypt" : "some hash"
		},
		"resume" : {
			"loginTokens" : [
				{
					"when" : date,
					"hashedToken" : "some hash"
				}
			]
		}
	},
	"username" : "some username"
}

My plan is to use bcrypt to hash the plain password when user tries to login in a non-Meteor app, and compare it with the value for services.password.bcrypt. Would it work?


#2

What are you migrating to? I’d be nice to have a migration path to something like http://passportjs.org


#3

I am using passportjs.

I saw in this StackOverflow question that accounts-password hashes the password with sha-256 before sending the plaintext to the server.

So I think the login flow using passportjs should be:

  • user tries to login with id/password
  • hash the password with sha256 and send to server
  • use bcrypt to hash and compare the password from the db.

But what about salts? Does Meteor salt the hash and where are they stored?


#4

Bcrypt’s whole reason for being is salts.

Yes, Meteor salts.


#5

Figured it out.

  1. Hash the plaintext password with sha256
  2. Compare the hash to the services.password.bcrypt using bcrypt.
  3. If match, login, if not reject.

Works well with passportjs.


#6

Note - you need to use the SHA256 module that is included in Meteor as opposed to say,

crypto.createHash(‘sha256’).update(password).digest(‘base64’);