Permalink
Browse files

Maintain old behavior of plaintext password handler.

This is for backwards compatibility with old standalone DDP clients
(like the Meteor command line tool). Note that we are not maintaining
back-compat with old standalone DDP clients that implemented SRP.
  • Loading branch information...
1 parent 58182f2 commit dd034b3f0b1d67b24613b8f865dc317d67a0bc1c Emily Stark committed Jun 12, 2014
Showing with 24 additions and 5 deletions.
  1. +24 −5 packages/accounts-password/password_server.js
@@ -154,11 +154,30 @@ Accounts.registerLoginHandler("password", function (options) {
throw new Meteor.Error(403, "User has no password set");
if (!user.services.password.bcrypt) {
- // Tell the client to use the SRP upgrade process.
- throw new Meteor.Error(400, "old password format", EJSON.stringify({
- format: 'srp',
- identity: user.services.password.srp.identity
- }));
+ if (typeof options.password === "string") {
+ // The client has presented a plaintext password, and the user is
+ // not upgraded to bcrypt yet. We don't attempt to tell the client
+ // to upgrade to bcrypt, because it might be a standalone DDP
+ // client doesn't know how to do such a thing.
+ var verifier = user.services.password.srp;
+ var newVerifier = SRP.generateVerifier(options.password, {
+ identity: verifier.identity, salt: verifier.salt});
+
+ if (verifier.verifier !== newVerifier.verifier) {
+ return {
+ userId: user._id,
+ error: new Meteor.Error(403, "Incorrect password")
+ };
+ }
+
+ return {userId: user._id};
+ } else {
+ // Tell the client to use the SRP upgrade process.
+ throw new Meteor.Error(400, "old password format", EJSON.stringify({
+ format: 'srp',
+ identity: user.services.password.srp.identity
+ }));
+ }
}
return checkPassword(

0 comments on commit dd034b3

Please sign in to comment.