For an app im making using Meteor i have the function to add users on the client app however if i just call the Accounts.createUser it automatically logs in to the new users' account. To get around this i am currently calling a server side method and just passing the data in the Meteor.call() below. I am pretty sure that this passes the password as plain text to the server which is bad.
Is there any way for me to make sure the data is securely sent to the server method without it automatically logging the user in?
Meteor.call('serverCreateUser', username, password, phone, email, admin)
I am pretty sure that this passes the password as plain text to the server which is bad.
Using a standard Meteor method, yes. This is why you should always use https in production!
There is, however a different approach you can implement. You can actually create a user, without providing a password, then nobody can login with this account. You then send an enrollment email to this user, requiring the user to set an initial password, which is then hashed, before being sent over the wires:
Meteor.methods({
'serverCreateUser' (username, phone, email) {
// server should consider based on server-only rules, whether
// a user will be an admin!
const userId = Accounts.createUser({ username, email })
// set profile fields
Meteor.users.update(userId, { $set: { phone })
// send enrollment mail
Accounts.sendEnrollmentEmail(userId)
// return new user id
return userId
}
})
When on the client the user sets the initial password it will use Accounts.resetPassword.
Note, that this still requires https, because a hashed password is still not an encrypted password.