How to implement one time login?


#1

With accounts-* package, the login will be maintained for default 90 days. the token will be cached to localstorage and the next time user open the browser, it will login automatically again.

but for some app, this is not right and secure. for example, for an admin app, user need to perform a one-time login, and keep the token in memory to make it safe for it will be remove on closing of browser.

So how would you implement one-time login?

see this issue


#2

You can configure how long it stays valid in the accounts settings.

Try this: https://atmospherejs.com/zuuk/stale-session


#3

After you login, remove the login data from storage:

Meteor.loginWithPassword(user, () => {
  Meteor._localStorage.removeItem('Meteor.userId');
  Meteor._localStorage.removeItem('Meteor.loginToken');
  Meteor._localStorage.removeItem('Meteor.loginTokenExpires');
  Accounts._autoLoginEnabled = false;
});

If using latest package (1.3+), you should be able to just:

Meteor.loginWithPassword(user, () => {
  Accounts._unstoreLoginToken();
  Accounts._autoLoginEnabled = false;
});

#4

This does work, awsome! it really should be made a config option of Accounts.


#5

Nice find @reoh ! It will need some maintenance to make sure it stays working in new releases because it changes some core variables.

Isn’t this setting sufficient for you: https://docs.meteor.com/api/accounts-multi.html#AccountsCommon-config loginExpirationInDays

Not sure what happens if you turn it to 0 (zero). You might want to test that. I think it sets this variable:

And that one gets multiplied but it seems to not accept zero:

Have to check deeper and test though before you trust that behavior. This might otherwise be a good place to fix what you want.

It seems that every 10 minutes the tokens are checked to be removed:

Might be interesting to look into this a bit further to see if you can use the official api. You don’t need to remove the token after all, you need the token to become invalid.


#6

Before this post, I have already tested setting it to 0, but sadly, when I reopened the browser, it was logged in.