Login working with ANY password (Solved)

crane3700 · March 5, 2017, 6:55am

Hello People,

Set up a custom login system with Meteor for my app, and if I enter a correct email, I can use ANY password. I really hope I implemented something wrong, because I don’t want to switch languages. Code snippet below:

Template.login.events({
    'submit form': function(event){
        event.preventDefault();
        var email = event.target.email.value;
        var password = event.target.email.value;
        Meteor.loginWithPassword(email, password, function(error){
            if(error){
                loginnotice();
                console.log(error.reason);
            } else {
                Meteor.loginWithPassword(email, password);
            }
        });
    }
});

Version = Meteor 1.4.3.1
How can I fix this? Thanks.

PS: First time posting here, if I have breached any rules, apologies.

cstrat · March 5, 2017, 8:05am

That doesn’t sound right.

You’ve done something strange in your code, but it doesn’t explain being able to login with the wrong password.
In the first Meteor.loginWithPassword call you have the following in the callback:

if(error){
  loginnotice();
  console.log(error.reason);
} else {
  Meteor.loginWithPassword(email, password);
}

Why are you calling the login function again?

Can you try opening a new browser window in incognito mode. Try the whole thing again.
Your login attempt should fail and console.log the error reason.

storyteller · March 5, 2017, 8:09am

You haven’t breached any rules, though this should be reported as a security issue directly to MDG if you are certain.

First thing I can see is that you are getting the e-mail field for password and the second login with password function call is unnecessary.

So your code should look like this:

Template.login.events({
    'submit form': function(event){
        event.preventDefault();
        var email = event.target.email.value;
        var password = event.target.password.value;
        Meteor.loginWithPassword(email, password, function(error){
            if(error){
                loginnotice();
                console.log(error.reason);
            }
        });
    }
});

crane3700 · March 5, 2017, 8:27am

I assumed I needed to call it in the else block, removed it, and simulated production with

“–production”. Nothing has changed.

dbarrett · March 5, 2017, 8:42am

I would hazard a guess that since you were incorrectly using the email value for the password during the loginWithPassword call, that you were also doing the same during the createUser process.

Meaning it doesn’t matter what the password value was as it is never used, hence you do not see an error.

crane3700 · March 5, 2017, 8:52am

Just to clear the air, I am typically not this careless. Apologies, and thanks.

It seems to work well now. How do I mark as closed?

gusto · March 5, 2017, 9:49am

Just edit the title and add something like [SOLVED]. Have fun with Vue.

crane3700 · March 5, 2017, 10:01am

Hello Gusto,

What is Vue?

gusto · March 5, 2017, 10:12am

Lol, sorry. I meant have fun with Meteor.

I was helping somebody with Vue at the same time so I made a mistake. Don’t mind it.

crane3700 · March 5, 2017, 10:16am

Ok, thank you. I will.