You don’t use the internal meteor method, but you will create your own, for example async
getLoggedUserAsync(userId, token) {
// you can also modify, if your user is active, or whatever you want
return (await Meteor.users.findOneAsync({
_id: userId,
"services.resume.loginTokens.hashedToken": Accounts._hashLoginToken(loginToken),
}, {fields: {private: 0, ....another fields}})) as IUser;
}
check(userId, String);
check(token, String);
const currentUser = getLoggedUserAsync(userId, token);
Later you can somehow modify your method to prevent bruteforce.
Hmmm… it looks like you’re relying on the userId provided by the client. A hacker might be able to find the userId of another user of your app. If someone uses your app and leaves their computer unattended, someone could type Meteor.userId() into the console and get it.
However, maybe the approach you describe is correct for your use case.
Can you explain it more deeper? Because to found another userId he must know also his token. Or I’m thinking wrong?
Hmmm… that might work. I’ve taken the view that, since I can look up the userId via the loginToken, I won’t send the userId from the client to the server. But your approach may be perfectly correct. I’ll leave it for others here to comment.
1 Like
I think, userId with token is more secure, but you are boss of your project 