Provide login attempt validation for auth

[grahamleslie]

@kahmali, I don't believe there is currently a way to specify a callback for the loginWithPassword to provide some login attempt validation.

I'm currently building an application where I need to deny login to unverified email addresses. This is easy to do on the server with Accounts.validateLoginAttempt, but loginWithPassword bypasses this function.

This also presents a substantial vulnerability for a developer who assumes Accounts.validateLoginAttempt would be called. A malicious user could create an account under another user's email address, not verify it, and login through an API request as that user.

What are your thoughts on this? I realize I could easily overwrite the default login and logout routes but perhaps some configuration to allow login attempt validation would be a useful addition.

Thanks,
Graham

[kahmali]

Hi @gleslie2008,

So sorry I missed this! This should actually be a really simple update. As you've pointed out, there's definitely a security flaw, so we should get that taken care of asap.

It's simple enough to provide a config option for the user to define a custom validation function (during login we'd pass the authenticating Meteor.user doc as an arg to the function), and you just return true to approve the validation. However, I think requiring a user be verified to authenticate is common enough that we could provide a config option specifically for that as well.

I'll try to have this ready by the weekend. Let me know if you need something different from what I described above. Sorry again for the delayed response. And thanks so much for reporting this issue!

[grahamleslie]

That sounds perfect. Appreciate your work on the this project.

[fede-rodes]

Hi @kahmali

Thanks for your work :)

Any updates on this issue?