I'm using Meteor's account-entry package to handle the signin-signup action of my web app. To add a Confirm Password field to the sign up form, this is what I've done (in CoffeeScript):
AccountsEntry.config
logo: '/logo.png'
homeRoute: 'main'
dashboardRoute: 'main'
profileRoute: '/profile'
extraSignUpFields: [
field: "confirmPassword"
label: "Confirm Password"
type: "password"
,
field: "name"
label: "Full Name"
placeholder: "Full Name"
type: "text"
required: true
,
field: "position"
label: "Position"
placeholder: "Developer"
type: "text"
]
The problem with this approach is that: it also save the confirmPassword field to the database, so that when someone access the database > users collection, they can clearly see every users' password in confirmPassword field - which is very bad.
I don't know how to fix this problem yet. I think there may be an attribute which decide whether a specific field should be store in the database or not, but I haven't figured it out yet ! (the accounts-entry package documentation seems not detailed enough to me, I have to say :( )
Can you guys help me with this problem ? Thanks so much in advance !
The lack of a password confirmation field is a known issue with accounts-entry.
On the other hand, the publish function for the users collection should only publish the strictly necessary fields. By default, only username, emails and profile are published to the client.
Anyway, you should not store the confirmPassword in the database to begin with. To do that, hook into Accounts.onCreateUser and delete that field before returning the user object:
Accounts.onCreateUser(function (options, user) {
delete user.confirmPassword; // or: delete user.profile.confirmPassword;
return user;
});