Home/ Questions/Q 7783229
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-01T19:46:31+00:00

I started this example project to learn meteor: https://github.com/andrewarrow/question-raven/ I’m trying to duplicated a

  • 0

I started this example project to learn meteor:

https://github.com/andrewarrow/question-raven/

I’m trying to duplicated a popular question/answer site functionality just to learn meteor.

Above my login form I have this in the template:

 {{#if invalid }}
<div style="background-color: yellow; padding: 3px 3px 3px 3px;">
login invalid, please try again.
</div>
{{/if}}

and I’m starting the login logic like this:

Template.hello.events = {
  'click #login' : function () {
    var email = $('#email').val();
    var password = $('#password').val();
    if (false) {
      Session.set('user_id', 1);
    } else {
      Session.set('invalid', 1);
    }
  }
};

Then in order for the invalid variable to work in the template I have this function:

Template.hello.invalid = function () {
  return Session.get('invalid') != null;
};

Is this the right way to do this? Does every variable the template references have to be a function? Should I use the Session store to record a login was invalid so a function can return true/false?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Short answer – you can’t do it (yet). But I’m sure the meteor team is working hard on it, since it’s a big hole in the framework at the moment.

    The way you’re doing it in this example would be insecure in any client-side framework since you’re setting the value of a javascript variable to enforce authentication. I can run Session.set('invalid', null); in the chrome console and log myself in.

    The canonical way of logging in is to have the server hash the password and compare it to the username/password table in the database, if it’s valid create a session token in another database table with an expires datetime, then give the session token to the browser to send you with future requests (usually stored in a cookie). This doesn’t work in Meteor because the client has full read/write access to any collection in the database.

    You could, potentially, have a completely separate database running that Meteor doesn’t know about, and set up meteor functions on the server that access it with node.js code (pybassing meteor Collections altogether). You could pub/sub only the public data from that database to see the data auto-update in your client. It would be really messy, and I’m not even positive it would work – you’re much better off not using meteor if you need authentication right now.

    A partial solution (and very easy to implement) is to use HTTP authentication. It doesn’t work for a user system since nobody can sign up, but it would keep strangers from seeing your code/ accessing your database.

    • 0