Protect DDP with a login

norBu · August 7, 2015, 8:15am

Hi,

I made a DDP API for external access to a DB, how can i protect this API with Token or Username Password?

Can i detect when the Client due a request or a third party client due a request?

thanks for help

vladmekh · August 7, 2015, 10:10am

just use Meteor.loginWithPassword

norBu · August 7, 2015, 10:35am

do you have a example?

greblak · August 7, 2015, 10:38am

Check out the docs on the accounts package and this page
https://www.meteor.com/accounts

vladmekh · August 7, 2015, 11:23am

yes, sure. u can use asteroid

Meteor = new Asteroid($scope.user.host) // meteor backend

Users = Meteor.getCollection('users')

// event
Meteor.on('login', function(){
 Users.reactiveQuery({}).result[0] // you loggen user
})
Meteor.loginWithPassword(user.email, user.pass).then(function(result){
      // redir
}, function(error){
      alert(error.reason)
})

norBu · August 7, 2015, 12:45pm

ok thanks for help i try this.

SkinnyGeek1010 · August 7, 2015, 1:45pm

The easiest way would be to check for a token on the server and reject it if there’s no match:

Meteor.methods({
  getSecrets: function(docId, token) {
    if (token !== 'secret123') {
       throw new Meteor Error(401, 'not authorized');
    }
    return Secrets.findOne(docId);
  }
})

You should also not hard code in the private token. If it’s for internal use you can put in in your meteor settings and then check against Meteor.settings.your_secret_token instead of 'secret123'.

If the consumer is a registered user and they’re on the client then you can check for a userId instead

Meteor.methods({
  getSecrets: function(docId) {
    // if logged in with user/pass on client this.userId will be their id
    // using roles package
    if (Roles.userIsInRole(this.userId, ['view-secrets','admin'])) {
      return Secrets.findOne(docId);
    }
    else {
      throw new Meteor Error(401, 'not authorized');
    }
  }
})