After calling Accounts.createUser() I’d like to validate password string on the server (that it is of allowed length and so forth…).
As far as I know, meteor sends SHA256 hash to the server instead of plaintext.
So is there a way to lookup that hash and get a plaintext password on the server?
More generally: is there a way to validate a password server side?
Have you checked if http://docs.meteor.com/#/full/accounts_validatenewuser doesn’t work with the original password?
You can’t retrieve the plaintext password from the hash (otherwise you, me, and the rest of the world have serious issues).
If you’d like to constrain the user’s password, you have to send it to the server in plaintext. This means you MUST strictly run over TLS in production*. Send the password to the server in a method call, validate it, then call createUser on the server.
* You should anyway: AFAIK Meteor’s password exchange does not prevent a replay attack.
I do exactly that, I send all user properties via method, and password is hashed through sha256 package. On server I validate all user properties and thought to validate the password…
Actually, I want to validate that the password isnt longer than 30 chars; my concern is that it can be billion of characters (by malicious user - maybe I’m just delirious) and will incur large bytesize in the DB…
Do you know if password field in user document has a bytesize restriction in mongoDb? Or maybe there’s a way to impose such a restriction?
Or maybe I shouldn’t bother about that at all??..
You don’t need to restrict password length. The server is only sent a fixed length hash, regardless of the plain text length. So it wont affect the server, only the client’s machine, but that’s their look out.
1 Like
After some searching I’ve found out that sha256 string can encode terabytes of string input, but is always 64chars in length itself.
So no need to worry about password length bytesize in DB. Good to know =)
Plus I’ve found out what salting is… =)