Protect DDP with a login


#1

Hi,

I made a DDP API for external access to a DB, how can i protect this API with Token or Username Password?

Can i detect when the Client due a request or a third party client due a request?

thanks for help


#2

just use Meteor.loginWithPassword


#3

do you have a example?


#4

Check out the docs on the accounts package and this page
https://www.meteor.com/accounts


#5

yes, sure. u can use asteroid

Meteor = new Asteroid($scope.user.host) // meteor backend

Users = Meteor.getCollection('users')

// event
Meteor.on('login', function(){
 Users.reactiveQuery({}).result[0] // you loggen user
})
Meteor.loginWithPassword(user.email, user.pass).then(function(result){
      // redir
}, function(error){
      alert(error.reason)
})

#6

ok thanks for help i try this.


#7

The easiest way would be to check for a token on the server and reject it if there’s no match:

Meteor.methods({
  getSecrets: function(docId, token) {
    if (token !== 'secret123') {
       throw new Meteor Error(401, 'not authorized');
    }
    return Secrets.findOne(docId);
  }
})

You should also not hard code in the private token. If it’s for internal use you can put in in your meteor settings and then check against Meteor.settings.your_secret_token instead of 'secret123'.

If the consumer is a registered user and they’re on the client then you can check for a userId instead

Meteor.methods({
  getSecrets: function(docId) {
    // if logged in with user/pass on client this.userId will be their id
    // using roles package
    if (Roles.userIsInRole(this.userId, ['view-secrets','admin'])) {
      return Secrets.findOne(docId);
    }
    else {
      throw new Meteor Error(401, 'not authorized');
    }
  }
})