Meteor Accounts - Log in with admin password

We were developing a Meteor app that’s meant to be ran locally (think restaurants + real-time ordering/tutorial centre + monitoring student’s progress), and we were faced with a challenge. Our client wanted to allow admins to log users in on their behalf. We tried the gwendall:impersonate package, but that is done using connections and normal users can gain admin access simply by refreshing the page.

Instead, we developed the accounts-admin-password package which is basically a login handler. On server-side, it validates the admin password, insert a token into the user’s document, and return the token back to the client. So even when the user refresh the page it would still be them who is logged in.

Please check it out! Feedback would be greatly appreciated!

2 Likes

Not sure if this would have achieved what you were after, I’ve never used this function myself.
It might not work, as you say they might have been able to get around it with a refresh, I don’t know exactly how this function works under the hood.

http://docs.meteor.com/#/full/method_setUserId

Call this function to change the currently logged in user on the connection that made this method call. This simply sets the value of userId for future method calls received on this connection. Pass null to log out the connection.

If you are using the built-in Meteor accounts system then this should correspond to the _id field of a document in the Meteor.users collection.


Actually thinking about this, I think this is exactly what you said did not work.
It doesn’t sound like this function changes the users session, but just allows their connection to appear as another user…

1 Like

Hi @cstrat thanks for checking it out. We actually tried setuserId before trying the gwendall:impersonate package, but as you correctly said, as soon as your refresh, a new connection is established.

So you would use gwendall:impersonate when you are the admin and want to temporarily access as someone else, whereas brewhk:accounts-admin-password is more of a permanent solution.

It sounds like your solution is way better because you’re giving the user the access token and actually changing their login. If I needed to do this, I would use your package for sure.