I’m trying to make a seamless login experience across two Meteor apps, both subdomains of the same domain.
- User is logged in to a Meteor app on my-fav-cats.example.com,
App1from now on, which displays a list of cats the user likes
- User goes to browse-cats.example.com,
App2from now on, which is another Meteor app on the same domain, where the user can browse some cats and favorite them
- When an authenticated user moves from
App2, the user should automatically be logged in there as well, allowing to immediately favorite a few cats, which then would get listed on App1.
Both apps can, if required, access the same database directly.
How can I achieve this with Meteor?
My idea 1:
Use kadira’s login-state package to fake it, so that the
App2 gets a cookie with userId, name, avatar and a secret token persisted by
App1. The client then connects to App1 and calls a method with the faved cat, userId and secret token, which is used to validate the action.
My idea 2:
Just persist Meteor’s
loginToken in the cookie and use that to make actual authenticated DDP method calls from
App1. Probably vulnerable to all sorts of attacks?!
Any more ideas?