acemtp / meteor-accounts-passwordless Goto Github PK

Are you up for, or ok with adding an option to allow the user to simply click a link that had the code in it. So they could either click a link, or copy the code over?

First of all thank you for this package, I know some other developers (namely @kentonv from sandstorm) are also interested in a “passwordless” authentication for meteor applications.

Currently it seems that you aren't implementing anything to prevent brute-force attacks. Since the pass-code that is being sent by email has a very low entropy (it's a 4-digits string), brute-forcing it is trivial:

var tries = 0;
(function tryLogin(err, res) {
  if (!err) return; // No error, we are logged in!
  Meteor.loginWithPasswordless({ 
    selector: 'mquandalle',
    code: ('0000' + (tries++).toString()).slice(-4) 
  }, tryLogin);
})('start');

Tested, and it works.

One possibility would be to invalidate the code after n unsuccessful tries. But that basically don't solve the problem because the attacker could just re-generate a new code and try n more times until he is successful. You could probably block the IP but (1) you'll have false positives (people that are blocked but didn't try to attack you) and (2) some attackers have a lot of IPs (botnets networks, or IPv6 ranges).

One other possibility would be to generate high-entropy one time password using for instance Random.secret() that have 256 bits of entropy which make brute-forcing strategies impossible to work, the drawback here being that if you receive the code on your mobile phone and want to input it on your computer you have to read and write a complex 43 chars string, which is super inconvenient.

Would be great have a react sample with this feature and a demo to test it.
Good job for the repo! Im going to try it

Hi,

I'm getting an unknown email error when follow your instructions.

The email most certainly exists, as I can login with it.

Please help.

Hi, i am able to get to the point where console prints a user has been created: "I20170711-10:41:29.687(1)? createdAt: Tue Jul 11 2017 10:41:29 GMT+0100 (WAT),
I20170711-10:41:29.689(1)? services: {},
I20170711-10:41:29.690(1)? emails: [ { address: '[email protected]', verified: false } ] }"
after entering the verification code, but i still get a "Login Forbidden" error

thanks.

Hey I am new to meteor and just didn't know best practices. I am trying to prototype a site we did in Rails, so we already have the structure in place for the collections, and didn't know if I could customize this package. Examples being changing the name of the collection, and saving more options when creating a user.

Is it best to use your package and somehow add to it, or is it best to just do my own? This probably isn't the best place to ask either, but I have no idea where else to ask it.

Brand new project following the tutorial on ToDo List (https://svelte-tutorial.meteor.com/simple-todos/07-adding-user-accounts.html)

meteor add acemtp:accounts-passwordless
 => Errors while adding packages:             
                                              
While selecting package versions:
error: Conflict: Constraint [email protected] is not satisfied by email 2.2.0.
Constraints on package "email":
* email@~2.2.0 <- top level
* [email protected] <- acemtp:accounts-passwordless 0.2.3

Conflict: Constraint [email protected] is not satisfied by accounts-base 2.2.0.
Constraints on package "accounts-base":
* accounts-base@~2.2.0 <- top level
* [email protected] <- acemtp:accounts-passwordless 0.2.3
* [email protected] <- service-configuration 1.3.0 <- accounts-base 2.2.0 <- acemtp:accounts-passwordless 0.2.3
* ```

I believe I've uncovered a bug.

The logout button works fine in your 'loginPasswordless' template, because the event handler resets some Session vars.

However, calling Meteor.logout() (as it says you can do in the README under 'Workflow') does not work alone, because although there is a Tracker.autorun() watching Meteor.user(), it does not handle the case where user is null and the Session vars need to be reset, as your logout button event handler does:

Session.set('loginPasswordlessMessage', '');
Session.set('loginPasswordlessState', 'loginPasswordlessLogin');

I'm specifically talking about the case where you call Meteor.logout() and then redirect to a login page, for example. Refreshing the page works fine since the default Session var values are the same as above.