We were developing a Meteor app that’s meant to be ran locally (think restaurants + real-time ordering/tutorial centre + monitoring student’s progress), and we were faced with a challenge. Our client wanted to allow admins to log users in on their behalf. We tried the
gwendall:impersonate package, but that is done using connections and normal users can gain admin access simply by refreshing the page.
Instead, we developed the
accounts-admin-password package which is basically a login handler. On server-side, it validates the admin password, insert a token into the user’s document, and return the token back to the client. So even when the user refresh the page it would still be them who is logged in.
Please check it out! Feedback would be greatly appreciated!
Not sure if this would have achieved what you were after, I’ve never used this function myself.
It might not work, as you say they might have been able to get around it with a refresh, I don’t know exactly how this function works under the hood.
Call this function to change the currently logged in user on the connection that made this method call. This simply sets the value of userId for future method calls received on this connection. Pass null to log out the connection.
If you are using the built-in Meteor accounts system then this should correspond to the _id field of a document in the Meteor.users collection.
Actually thinking about this, I think this is exactly what you said did not work.
It doesn’t sound like this function changes the users session, but just allows their connection to appear as another user…
Hi @cstrat thanks for checking it out. We actually tried
setuserId before trying the
gwendall:impersonate package, but as you correctly said, as soon as your refresh, a new connection is established.
So you would use
gwendall:impersonate when you are the admin and want to temporarily access as someone else, whereas
brewhk:accounts-admin-password is more of a permanent solution.
It sounds like your solution is way better because you’re giving the user the access token and actually changing their login. If I needed to do this, I would use your package for sure.