I have an account with a collection of allowed IP addresses. If anyone connects from one of these IP addresses, is it possible to log them in as that account?
This is technically possible, but it is something I strongly advise against implementing.
You can turn it around, only accept the login from the list of allowed IP addresses. But please do not automatically login if the request is coming from one of the allowed IP addresses.
Good idea:
const user = Meteor.users.findOne({ username });
if (!_.contains(user.knownIPs, this.connection.clientAddress)) {
throw new Meteor.Error('access denied');
}
Terribly bad idea: (incomplete sample)
const user = Meteor.users.findOne({ username });
if (_.contains(user.knownIPs, this.connection.clientAddress)) {
this.setUserId(user._id);
}
Why it’s such a terrible idea? Because it’s pretty easy to spoof an IP address. Even when you’re on a local network, that’s completely disconnected from the internet, automatically logging in based on the IP is like providing no security layer at all.
You can just as well show a dropdown box so the user can select someone to be logged in as.
A better solution would be to require the user to login. If the login attempt is successful, you store it’s IP address together with a token. This token, you keep client side as well (you can reuse Meteor’s token with localStorage.getItem('Meteor.loginToken').
On the next time a user visits you, you can check both the token and his IP address. If this combination is valid, you can restore it’s previous session. You don’t login based on IP, but based on the combination of a valid token + IP + token expiry date.
With this feature, you should give the user an option to kill sessions based on IP’s as well. So one can logout his session that’s still active on another location.
1 Like