I have a user profile page where I let the user edit his details. Before the user save these details, I need to ask for the user’s password and verify it. How can I do this? The only method I use password for is the login method.
How can we verify the logged in user’s password?
Check out the meteor: check a user’s password post from @dweldon (be warned though - the proposed solution relies on internal API calls).
Actually, one of the commenters on that post has come up with an alternate solution that leverages Accounts.changePassword using the current password for both the oldPassword and newPassword, which will result in an error if the password is wrong. Still not the greatest solution as Accounts.changePassword isn’t really intended to be used this way, but it’s another solution none the less.
Why isn’t there a public “checkPassword” API method?
I want to add extra security when a user wants to do particular sensitive things in my app.
Pretty simple, I think based on @dweldon’s solution. ~20 LOC for a basic solution doesn’t necessarily justify a public API in my opinion. We use this exact solution (with a validated-method) quite successfully in our app.
But it’s not best practice to rely on internal Meteor methods, as they could change or work differently in future. public API methods are more likely to be supported with backwards compatibility in case there are future changes.
I think the changePassword method is a better workaround for the timebeing.