Hi,
I made a DDP API for external access to a DB, how can i protect this API with Token or Username Password?
Can i detect when the Client due a request or a third party client due a request?
thanks for help
Hi,
I made a DDP API for external access to a DB, how can i protect this API with Token or Username Password?
Can i detect when the Client due a request or a third party client due a request?
thanks for help
just use Meteor.loginWithPassword
do you have a example?
yes, sure. u can use asteroid
Meteor = new Asteroid($scope.user.host) // meteor backend
Users = Meteor.getCollection('users')
// event
Meteor.on('login', function(){
Users.reactiveQuery({}).result[0] // you loggen user
})
Meteor.loginWithPassword(user.email, user.pass).then(function(result){
// redir
}, function(error){
alert(error.reason)
})
ok thanks for help i try this.
The easiest way would be to check for a token on the server and reject it if there’s no match:
Meteor.methods({
getSecrets: function(docId, token) {
if (token !== 'secret123') {
throw new Meteor Error(401, 'not authorized');
}
return Secrets.findOne(docId);
}
})
You should also not hard code in the private token. If it’s for internal use you can put in in your meteor settings and then check against Meteor.settings.your_secret_token
instead of 'secret123'
.
If the consumer is a registered user and they’re on the client then you can check for a userId instead
Meteor.methods({
getSecrets: function(docId) {
// if logged in with user/pass on client this.userId will be their id
// using roles package
if (Roles.userIsInRole(this.userId, ['view-secrets','admin'])) {
return Secrets.findOne(docId);
}
else {
throw new Meteor Error(401, 'not authorized');
}
}
})