I’m working with cooloney on this. Let me explain a little further.
Basically there are two sites mysite.cn and mysite.com, one in China and one in US. We don’t want them to share the same mongodb database because database access could be slow. So each site has its own local mongodb database. But we do want them to share the same users collection, in the sense that:
Users are expected to register once and be able to logon to both sites.
Preferably, if a user has logged on one site, he/she is automatically logged on the other site.
For the ability to register once and logon to both sites, just as cooloney said, we are considering two approaches:
Build a user account database shared by two sites. Then each site has to access two databases, one local database with all information except users collection, and the other with users collection only. As http://stackoverflow.com/questions/20535755/using-multiple-mongodb-databases-with-meteor-js suggests, for a meteor app to access an additional database is possible but without opLog capability.
Each site has its own users collection, but runs collection insertion/updating/removal hooks to sync with the other site. For this approach some transaction and roll back mechanism must be implemented: what if local database is updated successfully but synchronizing with remote database fails?
For the ability to automatically logon, I see this package https://atmospherejs.com/admithub/shared-auth , it achieve this by embedding iframe of sites to each other, and then passing loginTokens between pages and iframes. I haven’t tried it yet, I’m not sure if this is secure enough.
Any suggestion is appreciated!
By the way, I see how forum .meteor.com accounts are derived from www .meteor.com accounts, this may not be convenient enough for the user, but at least both sites share the same username/password. I’m curious how this is implemented. Thanks!
Mhh. Interesting I’m looking for something similar. I had a different strategy in mind though. I planned an OAuth provider and share it between the apps…
Sandstorm.io might be an interesting case, I figure. Users are authenticated on Top-Level and the sandstorm apps get this authentication passed in via http-headers: