meteor / accounts Goto Github PK

Lets say user adds an email into his account as [email protected]. then adds the same email as [email protected]. when he gets the second verification email and clicks it, it removes the token records for emails sent to [email protected] but not [email protected].

i think the issue is this line -

https://github.com/meteor/accounts/blob/master/packages/accounts-password/password_server.js#L838

we should instead -

$pull: {'services.email.verificationTokens': {address: { $regex : new RegExp('^' + Meteor._escapeRegExp(tokenRecord.address) + '$', 'i') }}}});

When trying to sign in to our Meteor Cordova app with the accounts-google package as we did successfully for the last 12 months we now see the following error message:

403 - disallowed_useragent

This user-agent is not permitted to make an OAuth authorization request to Google as it is classified as an embedded user-agent (also known as a web-view). Per our policy, only browser are permitted to make authorization requests to Google. We offer several libraries and samples for native apps to perform authorization request in the browser.

Is there even a way for the accounts package to deal with Google's "new security restrictions", or will we have to look at specific Cordova plugins like this: https://github.com/gbenvenuti/cordova-plugin-google-sign-in-ios ?

Just try to log in on https://ućladder.pl/ - you will see the error.

LoginWithPassword method can results in error states that reveal whether a given username or email exists in the system.

If a username exists it will return "“Incorrect password [403]” if the password provided is incorrect." if the password is incorrect.

I would like to see this configurable.

Is this possible?

The git history of 05ea8b1 is seriously messed up and will be difficult to exploit using the standard git tools in the future. Basically every commit is duplicated a number of times, for example:

5a083e4 Bump package versions for 1.3-beta.16 release. [Ben Newman]
fa9c53f Bump package versions for 1.3-beta.16 release. [Ben Newman]
490eaf7 Bump package versions for 1.3-beta.16 release. [Ben Newman]
bf58dba Bump package versions for 1.3-beta.16 release. [Ben Newman]
098d860 Bump package versions for 1.3-beta.16 release. [Ben Newman]
d2f002e Bump package versions for 1.3-beta.16 release. [Ben Newman]
3320e72 Bump package versions for 1.3-beta.16 release. [Ben Newman]
7eb499e Bump package versions for 1.3-beta.16 release. [Ben Newman]
2a26b93 Bump package versions for 1.3-beta.16 release. [Ben Newman]
bdbb032 Bump package versions for 1.3-beta.16 release. [Ben Newman]
ba8c914 Bump package versions for 1.3-beta.16 release. [Ben Newman]
05ea8b1 Bump package versions for 1.3-beta.16 release. [Ben Newman]
a1eb486 Bump package versions for 1.3-beta.16 release. [Ben Newman]
c6835e0 Bump package versions for 1.3-beta.16 release. [Ben Newman]
f478fef Bump package versions for 1.3-beta.16 release. [Ben Newman]
1a01676 Bump package versions for 1.3-beta.16 release. [Ben Newman]
1a7631a Bump package versions for 1.3-beta.16 release. [Ben Newman]
33a69cc Bump package versions for 1.3-beta.16 release. [Ben Newman]
91f8816 Bump package versions for 1.3-beta.16 release. [Ben Newman]
172ad8f Bump package versions for 1.3-beta.16 release. [Ben Newman]
dbd0cf4 Bump package versions for 1.3-beta.16 release. [Ben Newman]
555f322 Bump package versions for 1.3-beta.16 release. [Ben Newman]
55b7586 Bump package versions for 1.3-beta.16 release. [Ben Newman]

Using git subtree split and git filter-branch I obtained a much better history:

https://github.com/mquandalle/meteor-accounts

(I guess I could have split the tree in a packages/ subdirectory as in this repo, but otherwise the history is way more readable).

Hello,

I'm building a App Builder and I need to configure the login for facebook, etc for several clientes ( each one with his own app ). But this is done on the same application. I made a Social collection, save the appID and secret for each client. I do not think I can use ServiceConfiguration for this... each client will try to login.
I thinking to clone the ServiceConfiguration, add the "appId" on each config and restore it wihtin this appId information.

any help ?
thanks

Hi,
I've been working with angular-meteor and meteor backend for my cross-platform mobile project.
The IOS app store rejected my submission due to well-known ipv6-only network issue.

I have successfully reproduced the bug on my mac. Here is what I have done:

set up a NAT64/DNS64 local network following this guidefrom apple.
start up a meteor server with this cmd: ROOT_URL="http://2001:2::aab1:e:c6ff:feac:2264:3000" meteor run
changed my angular-meteor DDP connection URL using this cmd: window.meteor_runtime_config.DDP_DEFAULT_CONNECTION_URL = 'http://2001:2::aab1:e:c6ff:feac:2264:3000';
run my angular-meteor project using ionic cmd ionic serve
After the last 4 steps, I could successfully open my site. The websocket connection seems ok to me. no error log showed up. However, when I came to my login page. The code gets stuck here: Meteor.loginWithPassword(username, password, Angular.bind(this, function(err) { if (err) { console.log('Login error - ', err); failure(err); } else { console.log('Login success'); o.setSession(username, password); success(); } }));

This Meteor.loginWithPassword method never replied.

I'm wondering someone who knows this accounts package or meteor could help me.
My end goal is to make this login work under ipv6.

I am using a library that relies on accounts-oauth and all works fine, except that on an iPhone app (via TestFlight) the popup window doesn't close automatically after the callback/redirect.

See xinranxiao/meteor-accounts-spotify#5

It does work fine in the ios emulator and also with ios-device. I have no idea how to debug this on a deploy via TestFlight. Any tips are much appreciated.

After moving from Meteor 1.2x to 1.3.x Facebook login has stopped working and I get the following error message "You are not logged in. You are not logged in. Please log in and try again."

I've tried stack overflow and the forums only to find others with the same issue for iOS and the simulator alike.

I'm not using any special oAuth requirements just the package as is and rendered to the template with the login button handlebars call.

Works fine on desktop.

It might seem weird but I want to remove the registration function and only leave the login feature, is it possible to be done through accounts-ui package?

Why registerLoginHandler is not on any documentation?

Hi,
I am trying to develop mobile app of todo in 1.3. When I do so, login button is not showing in android app. However its working perfectly on the browser as well as in emulator.
Any clue/solution for this issue ?

Thanks

For some reason, when I try to login using Facebook after configuring it. I get the following error

Can't Load URL: The domain of this URL isn't included in the app's domains. To be able to load this URL, add all domains and subdomains of your app to the App Domains field in your app settings.

I tried to remove the package and install it again to re-configure it myself but it seems that the previous configuration are still there somewhere.

How do I remove those configuration completely?

So I cannot reproduce this issue locally, but in our deployed Meteor app, if a user logs in and then immediately scrolls, they get logged out. There is no code that would make this happen, as Meteor.logout() is called only when the user clicks the logout button. Any idea on why this might be happening? This is a pretty big concern

Hi there, this seems to be an issue with version 1.1.0 of accounts-facebook.

Error: Failed to fetch identity from Facebook. failed [400] {"error":{"message":"\"fields\" param is not a valid string","type":"OAuthException","code":2500,"fbtrace_id":"D9N1WOUOvS\/"}}
    at getIdentity (packages/facebook-oauth.js:125:20)
    at Object.handleAuthFromAccessToken (packages/facebook-oauth.js:35:18)
    at Object.handleOauthRequest (packages/facebook-oauth.js:56:19)
    at OAuth._requestHandlers.(anonymous function) (packages/oauth2.js:27:31)
    at middleware (packages/oauth.js:203:5)
    at packages/oauth.js:176:5

client/Accounts.js -
AccountsTemplates.addField({
_id:'txtrole',
type:'text',
displayName:'Role'

});

package iseraccounts:core also added

I would love to help contribute with linkAccounts and have this working with Apollo. Would love to have outline of what's next.

I believe not having tokens expire after a certain period of is a security gap. I found no functionality available to do this even though token objects are stored with a timestamp, so I'd like to suggest having something available as follows:

//users can configure the timeout in minutes to expiration
var emailTokenTime = Accounts.configure.verifyEmailTokenExpiration;

Meteor.methods({verifyEmail: function (token, emailTokenTime) {
var self = this;
return Accounts._loginMethod(
self,
"verifyEmail",
arguments,
"password",
function () {
let timeNow = new Date();
check(token, String);
let ett = emailTokenTime;
//check if the config is set and, if it is, it's the appropriate type
if (!!ett) {
check(ett, Number);
}
var user = Meteor.users.findOne(
{'services.email.verificationTokens.token': token});
if (!user)
throw new Meteor.Error(403, "Verify email link expired");

  var tokenRecord = _.find(user.services.email.verificationTokens,
                           function (t) {
                             return t.token == token;
                           });
  if (!tokenRecord)
    return {
      userId: user._id,
      error: new Meteor.Error(403, "Verify email link expired")
    };

  var emailsRecord = _.find(user.emails, function (e) {
    return e.address == tokenRecord.address;
  });
  if (!emailsRecord)
    return {
      userId: user._id,
      error: new Meteor.Error(403, "Verify email link is for unknown address")
    };
 //if the config is set run the time check
 if (!!ett) {
   let tokenTime = tokenRecord.when.valueOf();
   let functionTime = timeNow.valueOf();
   let expMinutes = ett*60000;
   let expired = (( functionTime - tokenTime) > expMinutes);
   //if the difference between token creation and now is greater 
   //than the minutes set, pull the record and return an error.
   if (expired) {
     Meteor.users.update(
       {_id: user._id,
        'emails.address': tokenRecord.address},
       {$pull: {'services.email.verificationTokens': {address: tokenRecord.address}}});

     return {
       userId: user._id,
       error: new Meteor.Error(403, "Verify email link expired")
     };
   }
 }
  // By including the address in the query, we can use 'emails.$' in the
  // modifier to get a reference to the specific object in the emails
  // array. See
  // http://www.mongodb.org/display/DOCS/Updating/#Updating-The%24positionaloperator)
  // http://www.mongodb.org/display/DOCS/Updating#Updating-%24pull
  Meteor.users.update(
    {_id: user._id,
     'emails.address': tokenRecord.address},
    {$set: {'emails.$.verified': true},
     $pull: {'services.email.verificationTokens': {address: tokenRecord.address}}});

  return {userId: user._id};
}

);
}});

My first post, hope it's useful.

Hi guys,

I'm using facebook login in one of my apps (www.fulbacho.net) and a few days back I received the following alert:

fulbacho currently has access to Graph API v2.2 which will reach the end of its 2-year lifetime on 27 March, 2017. To ensure a smooth transition, please migrate all calls to Graph API v2.3 or higher.

To check if your app will be affected by this upgrade you can use the Version Upgrade Tool. This will show you which calls, if any, are affected by this change as well as any replacement calls in newer versions. If you do not see any calls, your app may not be affected by this change.

Based of what I can see, the API version is set in packages/facebook/facebook_client.js

Are there any plans to upgrade to a higher version?

What it's suppose to happen on 27 March, 2017?

Thanks!