Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Meteor.connectWith<Service> for services used by app #2

Open
zimme opened this issue Oct 22, 2015 · 8 comments
Open

Add Meteor.connectWith<Service> for services used by app #2

zimme opened this issue Oct 22, 2015 · 8 comments

Comments

@zimme
Copy link
Contributor

zimme commented Oct 22, 2015

This is to prevent another account from logging in when you wanna add a service to the currently logged in account and there already are another meteor account which has this service.

With Meteor.loginWith<service> that account will be logged in.
@zimme zimme mentioned this issue Oct 22, 2015
Open
@splendido
Copy link
Member

This would somehow require the UI logic to distinguish between the two calls loginWith<service> and connectWith<service> which is something I'd prefer to avoid...

This was achieved, e.g., using Accounts.updateOrCreateUserFromExternalService in splendido:accounts-meld but I'm not pretending that's the best solution!

@zimme
Copy link
Contributor Author

zimme commented Oct 22, 2015

This could probably be done with an option to Meteor.loginWith<service>.

e.g.

Meteor.loginWithGoogle({..., loginOtherAccount: false, ...});

@zimme
Copy link
Contributor Author

zimme commented Oct 22, 2015

I don't want to make Meteor.loginWith<service> work different than Meteor.loginWithPassword by default.

@brettle
Copy link

brettle commented Oct 24, 2015

Instead of requiring that client code be changed to handle the typical case of not switching users, how about having the server code assume that the user was trying to add a service instead of switch users, and throw a "logout to switch" error to abort the login? To handle the case when a user actually does want to switch, we could add Meteor.switchUserWith<service> methods or pass a loginOtherAccount: true option to Meteor.loginWith<service>, but it would usually be just as easy to have the client code call Meteor.logout and then Meteor.loginWith<service> without any options.

FWIW, the brettle:accounts-logout-to-switch package takes the above approach.

@zimme
Copy link
Contributor Author

zimme commented Oct 24, 2015

Solid ideas, feels like if we throw logout-to-switch the "ui" package could just Meteor.logout and Meteor.login` and we don't have to over ride more functionality.

@splendido
Copy link
Member

Please consider that changing behaviour of client-side calls using different parameters is not safe, since a malicious user could always make the same call withuot the correct parameters for the current context.

@brettle
Copy link

brettle commented Oct 24, 2015

@zimme, that was exactly my thinking.

@splendido, in all the proposals we've been discussing, security is still enforced on the server. Extra client-side parameters and methods are only used to communicate user intent.

@splendido
Copy link
Member

@brettle I was referring to the above proposal from @zimme

Meteor.loginWithGoogle({..., loginOtherAccount: false, ...});

which is more than fine in this case since the request would be to link another account to the currently logged in user which, in case, would be the user's intended behaviour.

Other cases could put it the unsafe way.
Just wanted to highlight that changes in the current flows should probably be done on the server side and hence, probably by changing the current Accounts logics, unless we can find some hooks configuration to achieve what we need.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@brettle @zimme @splendido