Meteor.loginWithToken throwing 403 Login forbidden

help
1

Hi, I am implementing the login logic my own, instead of using Meteor.loginWithPassword.

After perform all the checking on user credential, i will generate access token from the backend:
image

And frontend will use this token to login using Meteor.loginWithToken:

Meteor.call('Users.login', username, usernameType, password, (error, result) => {
				console.log(error, result);
				if (!error) {
					Meteor.loginWithToken(result, (error) => {
						console.error(stack);
					});
				} else {
				}
			});

But meteor keep throwing error code 403 with the following error message:

I20231025-16:28:45.143(8)?   error: errorClass [Error]: Login forbidden [403]
I20231025-16:28:45.143(8)?       at errorClass.Meteor.Error.clone (packages/meteor.js:754:10)
I20231025-16:28:45.143(8)?       at Object.EJSON.clone (packages/ejson/ejson.js:595:14)
I20231025-16:28:45.143(8)?       at packages/ejson/ejson.js:606:22
I20231025-16:28:45.144(8)?       at Array.forEach (<anonymous>)
I20231025-16:28:45.144(8)?       at Object.EJSON.clone (packages/ejson/ejson.js:605:13)
I20231025-16:28:45.144(8)?       at cloneAttemptWithConnection (packages/accounts-base/accounts_server.js:1510:31)
I20231025-16:28:45.144(8)?       at packages/accounts-base/accounts_server.js:256:16
I20231025-16:28:45.144(8)?       at Hook.forEach (packages/callback-hook/hook.js:110:15)
I20231025-16:28:45.144(8)?       at Hook.each (packages/callback-hook/hook.js:122:17)
I20231025-16:28:45.144(8)?       at AccountsServer._failedLogin (packages/accounts-base/accounts_server.js:255:30)
I20231025-16:28:45.144(8)?       at AccountsServer._attemptLogin (packages/accounts-base/accounts_server.js:488:12)
I20231025-16:28:45.144(8)?       at MethodInvocation.methods.login (packages/accounts-base/accounts_server.js:654:23)
I20231025-16:28:45.144(8)?       at maybeAuditArgumentChecks (packages/ddp-server/livedata_server.js:1885:12)
I20231025-16:28:45.144(8)?       at packages/ddp-server/livedata_server.js:769:19
I20231025-16:28:45.144(8)?       at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1257:12)
I20231025-16:28:45.144(8)?       at packages/ddp-server/livedata_server.js:767:46 {
I20231025-16:28:45.144(8)?     isClientSafe: true,

I was studied the meteor.js code, and found it was error occurred in EJSON.clone() but not sure how to fix it. I had been stucked for so long on this issue. Is anyone have suggestion on it.

Really Appreciated!!!

2

How about you add ‘lodash.clonedeep’ NPM and then import the function import deepClone from 'lodash.clonedeep' and use it instead of your _.cloneDeep.
I am not sure where you _function is coming from.

3

Thanks for your suggestion!!! But the issues was happened inside the EJSON.clone() in meteor framework itself, the _.cloneDeep for stampedToken have no issue.

4

Ok, I suggested that replacement because I don’t think _.cloneDeep exists. I also ran a search in the Meteor repo and I can find some comments about it but I do not find it in the code. I think it doesn’t exist in Underscore. Where do you import it from?
I suspect the result of it is not what Accounts._insertLoginToken expects.
You can compare the params of _insertLoginToken in the native Meteor code in accounts_server.js with the params you generate for that function (https://github.com/meteor/meteor/blob/72f27da680cfdd3ff6fb20f580a7f468cb5f21ce/packages/accounts-base/accounts_tests.js#L329)

5

Thanks for the suggestion. I finally found the issues. Is was caused by the Accounts.validateLoginAttempt didn’t return true or false :sweat_smile:. So it default to false and causes 403 forbidden.

Thanks for your help!!!

6

If you could post code showing the catch and fix, and then close this item out as “solved,” that would be very helpful to others who may encounter something similar in the future.