-
Notifications
You must be signed in to change notification settings - Fork 5.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expose an API that can disable automatic resume logins #1891
Comments
Going to try handling this from the server side using the newly merged login hooks. If the other points I raised about |
Yeah, login hooks are a good way to go about this. Maybe in the future we will rework the accounts apis to allow more options around this sort of thing. Hopefully login hooks suffice for now. |
[deleted: incorrect comment referring to outdated article https://meteorhacks.com/extending-meteor-accounts/] |
@lorensr that's interesting - I don't think that was always the case. Do you know off the top of your head which version of Meteor this started in? |
Oops, I'm sorry – article was written a while ago. The repo uses Meteor |
I'm not sure it's possible; I just added logic to pull login tokens on certain disconnect/logout events. |
I see, thanks. My use case is an OTP link giving restricted access to your account for the duration of your session. I don't want to remove all login tokens (which would log them out of their full-access browsers) – just the one created during restricted login. I guess I can do a |
This works as a connection-specific login: // client
Meteor.call('connectionLogin', function(e,r) {
if (!e)
Meteor.connection.setUserId(userId)
})
// server
Meteor.methods({
connectionLogin: function() {
this.setUserId(userId)
}
}) Are there any downsides to doing it this way, other than having to configure your own rate limiting? |
It seems that earlier versions of Meteor had a semi-public API for preventing the resume login from being called automatically: https://github.com/possibilities/meteor-disable-auto-login.
This no longer works, because the global
enableAutoLogin
variable inaccounts-base
is not exposed in any way. However, this is unfortunate because smart packages may want to disable the resume login in certain cases. In particular, I have a package that authenticates users from Amazon Mechanical Turk (https://github.com/HarvardEconCS/turkserver-meteor) where users have short sessions and should not be able to log in to the app afterward. Before, I just didn't store the resume token for users (#1835), but that no longer seems to work, so I'd like to disable the resume login on the client side when the app is loaded with a specific URL/hash fragment.In general, it seems like
accounts-base
should be refactored to not include functions that are specific toaccounts-password
(https://github.com/meteor/meteor/blob/devel/packages/accounts-base/url_client.js). This would also allow other packages that deal with accounts to disable the resume login in certain cases.Possibly related: #1815, which would allow handling this issue from the server side.
The text was updated successfully, but these errors were encountered: