1

私は流星を学ぶためにこのサンプルプロジェクトを始めました:

https://github.com/andrewarrow/question-raven/

流星を学ぶためだけに、人気のある質問/回答サイトの機能を複製しようとしています。

ログインフォームの上に、テンプレートにこれがあります。

 {{#if invalid }}
<div style="background-color: yellow; padding: 3px 3px 3px 3px;">
login invalid, please try again.
</div>
{{/if}}

そして私はこのようなログインロジックを開始しています:

Template.hello.events = {
  'click #login' : function () {
    var email = $('#email').val();
    var password = $('#password').val();
    if (false) {
      Session.set('user_id', 1);
    } else {
      Session.set('invalid', 1);
    }
  }
};

次に、無効な変数をテンプレートで機能させるために、次の関数を使用します。

Template.hello.invalid = function () {
  return Session.get('invalid') != null;
};

これはこれを行う正しい方法ですか?テンプレートが参照するすべての変数は関数である必要がありますか?関数がtrue/falseを返すことができるように、ログインが無効であったことを記録するためにセッションストアを使用する必要がありますか?

4

3 に答える 3

4

You can now use the accounts-base, accounts-ui, and accounts-* (various login services) packages for this. You could use Session to create a reactive notification for a failed login, after calling the loginWith* method and providing a callback that takes an error if something bad happens. Example:

Template.hello.events = {
  'click #login' : function () {
    var email = $('#email').val();
    var password = $('#password').val();
    Meteor.loginWithPassword(email, password, function (err) {
      if (err) Session.set("loginError", true);
    });
  }
};

The new docs explain it pretty well:

http://docs.meteor.com/#meteor_loginwithpassword

于 2012-12-14T01:38:25.913 に答える
0

Short answer - you can't do it (yet). But I'm sure the meteor team is working hard on it, since it's a big hole in the framework at the moment.

The way you're doing it in this example would be insecure in any client-side framework since you're setting the value of a javascript variable to enforce authentication. I can run Session.set('invalid', null); in the chrome console and log myself in.

The canonical way of logging in is to have the server hash the password and compare it to the username/password table in the database, if it's valid create a session token in another database table with an expires datetime, then give the session token to the browser to send you with future requests (usually stored in a cookie). This doesn't work in Meteor because the client has full read/write access to any collection in the database.

You could, potentially, have a completely separate database running that Meteor doesn't know about, and set up meteor functions on the server that access it with node.js code (pybassing meteor Collections altogether). You could pub/sub only the public data from that database to see the data auto-update in your client. It would be really messy, and I'm not even positive it would work - you're much better off not using meteor if you need authentication right now.

A partial solution (and very easy to implement) is to use HTTP authentication. It doesn't work for a user system since nobody can sign up, but it would keep strangers from seeing your code/ accessing your database.

于 2012-04-16T04:10:43.033 に答える
0

If you want additional details of the login error, Meteor actually passes a 'reason' string in the error argument to the callback of Meteor.loginWithPassword. This is how I implement the Meteor.loginWithPassword :

Meteor.loginWithPassword(username, password, function(error) {
  if(error !== undefined){
    setAlert('error', 'Error in processing login. ' + error.reason + '.');
  }
});
于 2013-01-20T22:06:16.030 に答える