New free package to search user accounts and impersonate them

When I was a teenager, after coming down from a crazy trip, this voice entered my head and said “YOU CAN BE ANYTHING YOU WANT TO BE.” With Meteor Candy, I am happy to spread that message in the form of a user impersonation package.

Meteor Candy Light is a free version of Meteor Candy, the hackable admin dashboard package. It’s been customized in a special way to focus on the key features and make the setup instant.

Get Started

Meteor Candy Light is a debugOnly package, meaning you can start using it right away without having to think about permissions or security. It causes less trouble than a diet soda!

To use it, just run the following command, then press Control + D to open.

meteor add meteorcandy:light

Here’s what it will be like:

Optional Configuration

To demonstrate how easy it is to configure Meteor Candy, the Light edition allows you to set one task, field and avatar by configuring just one object. All you need to do is modify it and make it available on the client and server.

MeteorCandyLight = {
    field: {
        field: "services.resume.loginTokens",
        content: function (data) {
            count = data.length || "0";

            if (count === 1) {
                return "1 Login Token";
            } else {
                return count + " Login Tokens";
    task: {
        name: "Change Password",
        prompt: "To what would you like to change the password to?",
        // refresh: true,
        server: function (userId, param) {
            Accounts.setPassword(userId, param)
        client: function (result) {
            if (result) {
                alert("The password has been changed.")
    // Optional avatar field
    // Otherwise, Meteor Candy will try to autodetect
    // avatar: function (userDoc) {
    //  return "" + userDoc._id + ".png";
    // }

To see the more advanced customization capabilities of Meteor Candy, check out the guide on The Meteor Chef. There, you might find a special offer in case you decide to purchase the full version.

Please try it and let me know what you think. Your feedback keeps me moving :smiley:

You should upsell a version that works in production mode. Personally, I wouldn’t want to play god mode with my users accounts, but I’m sure there are plenty that would.

Thanks for the feedback man. There is a production version, and it has a lot of configuration options. So, for example, you can take out things like account impersonation and put in stuff like “Reset Free Trial”

And indeed - account impersonation is an in-demand feature. I think the big use case is when a customer has an issue - it makes it really easy for a rep to sign in, see what they are going through, and correct it for them. You can do it all from the real app instead of building an entire system to manage it.

1 Like

People deploying apps should also be keeping good logs (Splunk, etc) to be able to understand what went wrong when things break. I’m not totally opposed to this approach (for the use case you mentioned – it’s a huge value add), so long as security is at the forefront. User impersonation is a very powerful feature to have in a production application.

Agree - security is always the first concern. I’m building these tools for myself too, so I am as concerned as anyone else.

In terms of accessing the tools, on the server, every method must first pass the permission check, which the developer has complete control over. Assuming their code is not faulty, this functionality should be as secure as any.

To that point, the package follows standard procedure on checking argument, rate limiting, and it only runs code from the server (code does not get passed in from the client).

As for logs, since Meteor Candy is on-premise, it’s pretty easy to connect it to your system. I’m also looking into an Activity screen. That way, businesses can make sure the admin tools are being used properly, and employees aren’t giving away free things to their friends :smiley: