acemtp / meteor-accounts-passwordless Goto Github PK
View Code? Open in Web Editor NEWPasswordless for token-based one-time password (OTPW) authentication
License: MIT License
Passwordless for token-based one-time password (OTPW) authentication
License: MIT License
Are you up for, or ok with adding an option to allow the user to simply click a link that had the code in it. So they could either click a link, or copy the code over?
First of all thank you for this package, I know some other developers (namely @kentonv from sandstorm) are also interested in a “passwordless” authentication for meteor applications.
Currently it seems that you aren't implementing anything to prevent brute-force attacks. Since the pass-code that is being sent by email has a very low entropy (it's a 4-digits string), brute-forcing it is trivial:
var tries = 0;
(function tryLogin(err, res) {
if (!err) return; // No error, we are logged in!
Meteor.loginWithPasswordless({
selector: 'mquandalle',
code: ('0000' + (tries++).toString()).slice(-4)
}, tryLogin);
})('start');
Tested, and it works.
One possibility would be to invalidate the code after n unsuccessful tries. But that basically don't solve the problem because the attacker could just re-generate a new code and try n more times until he is successful. You could probably block the IP but (1) you'll have false positives (people that are blocked but didn't try to attack you) and (2) some attackers have a lot of IPs (botnets networks, or IPv6 ranges).
One other possibility would be to generate high-entropy one time password using for instance Random.secret()
that have 256 bits of entropy which make brute-forcing strategies impossible to work, the drawback here being that if you receive the code on your mobile phone and want to input it on your computer you have to read and write a complex 43 chars string, which is super inconvenient.
Would be great have a react sample with this feature and a demo to test it.
Good job for the repo! Im going to try it
Hi,
I'm getting an unknown email error when follow your instructions.
The email most certainly exists, as I can login with it.
Please help.
Hi, i am able to get to the point where console prints a user has been created: "I20170711-10:41:29.687(1)? createdAt: Tue Jul 11 2017 10:41:29 GMT+0100 (WAT),
I20170711-10:41:29.689(1)? services: {},
I20170711-10:41:29.690(1)? emails: [ { address: '[email protected]', verified: false } ] }"
after entering the verification code, but i still get a "Login Forbidden" error
thanks.
Hey I am new to meteor and just didn't know best practices. I am trying to prototype a site we did in Rails, so we already have the structure in place for the collections, and didn't know if I could customize this package. Examples being changing the name of the collection, and saving more options when creating a user.
Is it best to use your package and somehow add to it, or is it best to just do my own? This probably isn't the best place to ask either, but I have no idea where else to ask it.
Brand new project following the tutorial on ToDo List (https://svelte-tutorial.meteor.com/simple-todos/07-adding-user-accounts.html)
meteor add acemtp:accounts-passwordless
=> Errors while adding packages:
While selecting package versions:
error: Conflict: Constraint [email protected] is not satisfied by email 2.2.0.
Constraints on package "email":
* email@~2.2.0 <- top level
* [email protected] <- acemtp:accounts-passwordless 0.2.3
Conflict: Constraint [email protected] is not satisfied by accounts-base 2.2.0.
Constraints on package "accounts-base":
* accounts-base@~2.2.0 <- top level
* [email protected] <- acemtp:accounts-passwordless 0.2.3
* [email protected] <- service-configuration 1.3.0 <- accounts-base 2.2.0 <- acemtp:accounts-passwordless 0.2.3
* ```
I believe I've uncovered a bug.
The logout button works fine in your 'loginPasswordless' template, because the event handler resets some Session vars.
However, calling Meteor.logout() (as it says you can do in the README under 'Workflow') does not work alone, because although there is a Tracker.autorun() watching Meteor.user(), it does not handle the case where user is null and the Session vars need to be reset, as your logout button event handler does:
Session.set('loginPasswordlessMessage', '');
Session.set('loginPasswordlessState', 'loginPasswordlessLogin');
I'm specifically talking about the case where you call Meteor.logout() and then redirect to a login page, for example. Refreshing the page works fine since the default Session var values are the same as above.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.