[Solved] Some users act as admin on backend but front-end show the right user

fhamel93 · February 1, 2018, 5:28pm

We are currently having a really strange issue with Meteor and we just can’t find why.

To make short, we have Meteor 1.6 (can’t update apps on AppStore right now because it’s really used heavily by our client). We have 5 instances (3 spots) on AWS behind an Application Load Balancer. We use nginx to proxy requests to meteor from the load balancer.

The problem right now is that some users (really random) log in as their user, but when that use the app, it’s like they are logged in as the main admin. We don’t use a custom process to log in users users (we use Meteor.loginWithPassword). We are not able to reproduce the problem so we can’t really find out what is happening.

Do you guys have any idea on what could be the problem ?

Any help would be really appreciated

Edit : I just got more informations from our client. The users see their own profile on the front-end, but when they interact with the server, the server think they are the admin account and do most thing as this account.

bmanturner · February 1, 2018, 8:40pm

What are you using to identify admin users? alanning:roles?

fhamel93 · February 1, 2018, 8:55pm

Yes. We just found the bug a few minutes ago. One of our dev was using Meteor.userId() instead of this.userId server side. We just switched to this.userId and everything is back to normal.

It seems like Meteor.userId() is not binded to the current context but to the app in general and can’t be trusted server side to return the real current user in a method.

bmanturner · February 1, 2018, 9:02pm

This is correct. I believe Josh Owens had an article with this in it at one point. Not sure if it was added to the official docs or not.