I have a signup process where the user inputs their email and password, which uses Accounts.createUser on the server. Then they’re bounced to a separate form to fill out additional details such as name, phone, etc. Once they fill that out, I want to log them in and redirect them to the dashboard. Is there some way I can force login of a user, without insecurely pulling their password to the client to use Meteor.loginWithPassword?
I would log the user in on registration and then check for these extra details for other routes so they can only access them when the form is completed.
Right, but how exactly do I log a user in upon registration? That’s the question.
If you need just email and password in your first step then accounts.createUser will do that automatically for you. It works on both server and client together to make that work internally.
And since you will have checks in place for the other fields as part of your business logic that is a fine an secure solution in this case.
Yes, but I’ve disabled client-side account creation for security purposes. So I’m assuming there’s no way to auto login the user once they’ve created their account. Currently I’m just redirecting them back to the login page to log in manually.
Well, issue here is that you do want to create the user and auto login. So they clients needs to know something. So that gives you options like:
- Use the built in createAccount
- Create your own version of that
I would take the first one and validate it well. I would whitelist only the fields entered, so just email and password basically. Concept here: https://guide.meteor.com/accounts.html#requiring-username-email
DIY
You can also run your own solution. The most simple way would be to:
- User enters form (store the input email and password)
- Call method to create user
- Now login with the stored credentials
But that is in my opinion still less preferable compared to the built-in solution.
Security of the new account
Also: What other security risk do you see? It’s a new empty user account initiated from the same browser. It doesn’t supply any more access than an account you create by yourself on the server.
As far as I am aware of the standard flow of createUser also has no known security issues which in fact would be a major issue for many Meteor apps around.
Edit:
And to add, you can actually change the active user, see: https://docs.meteor.com/api/methods.html#DDPCommon-MethodInvocation-setUserId so you can switch to another user without the user having to enter credentials. Should be clear that this needs to be implemented in a very careful way.
More of a spam concern. I have Google reCAPTCHA in place on the signup page to prevent spammy users from signing up. It’s possible, though probably highly unlikely, that a spam bot could figure out it’s a Meteor app and run Accounts.createuser to make an account.
Thanks for the links and ideas! I’ll dive into these later and figure out what makes sense.
Good issue spam! What you could do is call some spam detection service from meteor validate user. I suspect there are detection services available.
The general procedure would likely be to confirm via mail as a basis before people can fully use the account.