How to login with captcha and password?

I want to validate the captcha when user tries to login, but how to submit additional fields when call Meteor.loginWithPassword() ? I tried to pass an user object {username: “xxx”, captcha: “fsafsfefafa” }, but the App throws out an error ,

Match error: Unknown key in field captcha in field user.captcha

If I validate the captcha separately, actually users can bypass it by running commands under Chrome console. so the captcha validation has to be combined with the login process.

An easy way is to make a separate server call to validate captcha then upon success call Meteor.loginWithPassword client-side (i.e. 2 calls) or make a single server method that does both. You can look at the core package (accounts-password I believe) to see how it validates passwords – or find the server side password login (can’t remember if it’s exposed)

if you make 2 calls, actually malicious users can bypass the captcha, and call the Meteor.loginWithPassword() directly.

The best way is to insert the captcha logic into a hook function. For example I insert the captcha validation logic into Accounts.onCreateUser() to secure my signup process.

There is a function Accounts.validateLoginAttempt() function, but it only accept username and email as keys.

Technically, yes you can bypass captcha with a direct call to login method. However, the point of captcha is to prevent bots from logging in. I haven’t yet seen or heard of meteor-aware bots, so it should be fine. My recommendation is to have a single method with user, password and captcha. This will require overriding Meteor login and account creation methods

1 Like

@soulmachine Did you find a solution to this?