permb
June 9, 2021, 1:26pm
1
(the forum didn’t allow another post on the old topic so I’ll start a new one)
In case someone else gets stumped by not being able to use Accounts.createUser in beta 5 I found by examining the code that the 2.3 branch has code that disallows sending in a raw password string but this has been fixed in the devel branch.
check(user, {
id: Match.Optional(NonEmptyString),
username: Match.Optional(NonEmptyString),
email: Match.Optional(NonEmptyString)
});
if (Object.keys(user).length !== 1)
throw new Match.Error("User property must have exactly one field");
return true;
});
const passwordValidator = Match.OneOf(
Match.Where(str => Match.test(str, String) && str.length <= Meteor.settings?.packages?.accounts?.passwordMaxLength || 256), {
digest: Match.Where(str => Match.test(str, String) && str.length === 64),
algorithm: Match.OneOf('sha-256')
}
);
// Handler to login with a password.
//
// The Meteor client sets options.password to an object with keys
// 'digest' (set to SHA256(password)) and 'algorithm' ("sha-256").
I’m not entirely sure why this code is not in the 2.3 branch yet since it was commited to devel on April 28.
committed 03:43PM - 28 Apr 21 UTC
The release-2.3 branch code is borked.
check(user, {
id: Match.Optional(NonEmptyString),
username: Match.Optional(NonEmptyString),
email: Match.Optional(NonEmptyString)
});
if (Object.keys(user).length !== 1)
throw new Match.Error("User property must have exactly one field");
return true;
});
const passwordValidator = {
digest: Match.Where(str => Match.test(str, String) && str.length === 64),
algorithm: Match.OneOf('sha-256')
};
// Handler to login with a password.
//
// The Meteor client sets options.password to an object with keys
// 'digest' (set to SHA256(password)) and 'algorithm' ("sha-256").
//
// For other DDP clients which don't have access to SHA, the handler
Filed on issue to ensure it gets fixed:
opened 01:28PM - 09 Jun 21 UTC
closed 08:49PM - 14 Jun 21 UTC
Type:Bug
The 2.3 version of password_server.js has new parameter checks that are in confl… ict with
- my code
- the documentation in the file
- the typescript types on DefinitelyTyped
The new check on the password option disallows sending in strings, which is not only documented at the top of the file but is also the only option in the Typescript types for Accounts.
Old working code in release-2.2:
https://github.com/meteor/meteor/blob/f9a098a03541718a8cfcddee1e5ff2ce9be9355a/packages/accounts-password/password_server.js#L279
Working code in devel branch:
https://github.com/meteor/meteor/blob/f5d3715431a2dd938afbf2f12d822476bd30b3fa/packages/accounts-password/password_server.js#L279
New broken code in release-2.3:
https://github.com/meteor/meteor/blob/0dfc7a7a64969c0c1852775add6411133595fd90/packages/accounts-password/password_server.js#L277
Documentation at the top of the file:
https://github.com/meteor/meteor/blob/f5d3715431a2dd938afbf2f12d822476bd30b3fa/packages/accounts-password/password_server.js#L15
3 Likes
Fix should come out in the next beta later tonight.
On a personal note, just opening an issue on GitHub is enough.
1 Like