All geek questions in one place

Authentication Meteor RESTful. Is it possible?

I searched around, but could not find a satisfactory answer to this question.

I have a meteorite website where users register and create content. I also want to create a phone application that can interact with the website, and I want users to log in to the phone application and access the same content on the website. Pretty normal.

I created a basic REST API for accessing collections using the HTTP.publish meteor HTTP.publish . It works without any user information (without authentication), but now I want to use the userId of the GET methods in the rules of the Meteor.allow collections to access the current user.

So, I'm currently struggling with telling a meteor on a REST request, a user ID, even with just testing. I thought I could get the Accounts._storedLoginToken valid user in the browser and use it to test with CURL. Sort of

curl -H "X-Auth-Token: asdklfjasldfjlsadkjf" -H "Content-Type: application/json" -d '{"name":"A Name","description":"Testing description"}' http://localhost:3000/api/places

I tried this, but without joy, I get 403, which is at least good.

My questions are as follows:

  • Are the tokens created for the client specific (i.e., hashed with the host URL or something else)?
  • Does bcrypt use the X-Auth-Token method? If not what I am doing wrong in the curl command.
  • Is DDP the only way to create valid tokens, or can I make an API call that will create a token on the server, even just by passing simple text credentials?

eg /api/login?user=shane&pwd=qwerty => return token I can use curl in the request.

I am really stuck with this, so anything pointing me in the right direction will be appreciated. I also note that HTTP.publish has not yet created the input / output methods, so maybe this is not so simple.

+6
source share
3 answers

A few days ago, I started with an application with similar authentication requirements. I found that Differential RESTstop2 recently, in version 0.6.0, updated its authentication support to support the recently added Bcrypt encryption in Meteor.

You simply send the username and password as URL or body parameters as follows:

 curl --data "password=testpassword&user=test" http://localhost:3000/api/login/

and the server will return the following (if the credentials are correct):

 { success: true, loginToken: "f2KpRW7KeN9aPmjSZ", userId: fbdpsNf4oHiX79vMJ }

For every request you make to the server, include the loginToken and userId headers in it.

You should check this:

Docs: http://github.differential.io/reststop2/

Github: https://github.com/Differential/reststop2

+2
source

I published a package for writing a REST API in Meteor 0.9.0+ that supports authentication. It is intended to replace RestStop2 (the accepted answer) now that it is deprecated and has a similar API:

https://github.com/krose72205/meteor-restivus

It was inspired by RestStop2 and built using Iron Router server routing.

UPDATE: I just wanted to include sample code for those who found this. This is an example of quickly starting Restivus from GitHub README:

 Items = new Mongo.Collection 'items' if Meteor.isServer # API must be configured and built after startup! Meteor.startup -> # Global API configuration Restivus.configure useAuth: true prettyJson: true # Generates: GET, POST, DELETE on /api/items and GET, PUT, DELETE on # /api/items/:id for Items collection Restivus.addCollection Items # Generates: GET, POST on /api/users and GET, DELETE /api/users/:id for # Meteor.users collection Restivus.addCollection Meteor.users, excludedEndpoints: ['deleteAll', 'put'] routeOptions: authRequired: true endpoints: post: authRequired: false delete: roleRequired: 'admin' # Maps to: /api/posts/:id Restivus.addRoute 'posts/:id', authRequired: true, get: -> post = Posts.findOne @urlParams.id if post status: 'success', data: post else statusCode: 404 body: status: 'fail', message: 'Post not found' post: roleRequired: ['author', 'admin'] action: -> post = Posts.findOne @urlParams.id if post status: "success", data: post else statusCode: 400 body: status: "fail", message: "Unable to add post" delete: roleRequired: 'admin' action: -> if Posts.remove @urlParams.id status: "success", data: message: "Item removed" else statusCode: 404 body: status: "fail", message: "Item not found"
+1
source

Another option (besides RESTstop2 mentioned in another answer), you can use the standalone api-password package from Atmosphere, which does exactly what you need: to authenticate REST calls on the server side. It supports Meteor 0.8.2 (with bcrypt).

Example for the server side

  try { if (ApiPassword.isPasswordValid(username, password)) { console.log('password is valid for this user'); } else { console.log('password is not valid'); } } catch (exc) { console.log(exc.message); // possible causes: 'User is not found', 'User has no password set' }
0
source

Source: https://habr.com/ru/post/971826/

More articles:


All Articles