Meteor token authorization with simple:rest package not working

I have implemented a web application with meteor and currently i am trying to extend some functionalities to a separate api application(its also build with meteor).
How can i implement a api call from my web to newly implemented rest api app? is there any way to authorize to currently currently logged in user token with new rest api app? i have tried loginwithToken functionality but its only working in client side but my rest api meteor app is completely run in server side.
i am using simple:json-routes and simple:rest packages on my new rest api application.

Not sure what the exact problem is here. Are you wanting to build a REST API, or are you trying to call one? Usually you will provide an api key+secret to authenticate with the remote system. Can you provide more details pls?

1 Like

@mikkelking thank you for the response, currently i have installed


these packages in my rest app and implemented the middlewares like this

JsonRoutes.Middleware.use(’/api’, JsonRoutes.Middleware.parseBearerToken);

JsonRoutes.Middleware.use(’/api’, JsonRoutes.Middleware.authenticateMeteorUserByToken);

in my postman test api call, i passed the token which is stored in user collection services.resume.loginTokens on login time(actual web application), like this
Authorization:Bearer 7YGOMsoFZ6D0MfKj7082qVAj7StvI0qNTAspfntBBvk

i can access request.authToken in my function but can not access request.userId, its showing undefined

You might need to share your code.
The undefined for the userId suggests that the loginToken isn’t being accepted. It appears to be a hashedToken, maybe you need to unhash it?

I haven’t used this package before, but I suspect you need to explicitly login using meteor add simple:rest-accounts-password

@mikkelking thank you for the response, :slight_smile:

I do not have a login action in my REST API application, my web application run on another domain and the web application make an API call using Axios package to my REST API application and pass the token ( this token will already be stored in the user collection while user login to the web application, in ‘services.resume.loginTokens’ field ) for authentication, is there anything wrong in this?

this is my code

JsonRoutes.Middleware.use(’/api’, JsonRoutes.Middleware.parseBearerToken);
JsonRoutes.Middleware.use(’/api’, JsonRoutes.Middleware.authenticateMeteorUserByToken);
“Cache-Control”: “no-store”,
“Pragma”: “no-cache”,
“Access-Control-Allow-Origin”: “*”,
“Access-Control-Allow-Methods”: “GET, PUT, POST, DELETE, OPTIONS”,
“Access-Control-Allow-Headers”: “Content-Type, Authorization, X-Requested-With”


  • Home
    JsonRoutes.add(“get”, “/api/”,function (req, res, next) {
    JsonRoutes.sendResult(res, {
    error: false,
    message: 'User id '+req.userId

My apologies for being critical, but I think there are a couple of things wrong with this approach:

  1. The token stored in the users resume isn’t working (wrong format?)
  2. You shouldn’t rely on a user having a current token - they may not be logged in
  3. It’s good practice for an API to do it’s own authentication, otherwise you have a potential security hole.

My apologies if I am wrong about your architecture, it’s a bit of guesswork on my part

1 Like

@mikkelking I think you’ve made some false assumptions. As @suneethloremine stated, the user would be logged in, and furthermore the api server is doing its “own” authentication with the primary Meteor server, apparently with a Bearer token.

There are security concerns. For one, the Meteor localStorage resume token is available to JavaScript, therefore the browser allows malicious code to access it. Also, if you are making a call that is not https, more people can read that data. As @mikkelking mentioned a shared secret with the two servers can be used to make a secure token. Also if the Bearer token is obtained it can be used to log in.

1 Like

Thank you @jonlachlan and @mikkelking , @jonlachlan you are right, currently i have 2 applications, one main web application and other one is a rest api application it should work like a microservice, the login functionality is in main web application and the stored resume token is using to authenticate with rest api, the rest api authentication functionality is using bearer token,… is meteor login resume token not bearer token? is there any format issue?
i have also tried to generate a token using Accounts._generateStampedLoginToken().token and authenticate with rest api app using postman but that doesn’t work.

posted this issue as a new topic

post URL: Simple:authenticate-user-by-token not working

I’m not familiar with the packages. As they are not presently working for you, I’d suggest you build-your-own. Make a fetch call and get the userId as part of the request body. No hassle in writing things out another time. :face_with_raised_eyebrow:

1 Like

@jonlachlan Thank you, i am working on building own authorization functionality. :slight_smile: