When using the meteor accounts-google package or accounts-github and others meteor asks for email and other data for example
Clicking the info icon highlighted shows
I don't need any of that info for my app. In fact I don't even need email.
Is it possible to use those account services solely to give the user an account on my service and not request access to any of their info? At most I want their username if they have one they'd prefer but otherwise I don't need email or anything else.
Services should accept required permissions configuration.
Some services may have required permissions that are added regardless the one specified.
For example, when using Google, the profile permission, which is the basic login scope and is required in order to get the user id.
Directly calling the login service package:
The API should be:
Meteor.loginWith<ExternalService>([options], [callback])
For example,
Meteor.loginWithGoogle({
requestPermissions: ["email"],
userEmail: 'foo#bar.me',
...
});
Using accounts-ui:
Accounts.ui.config({
requestPermissions: {
google: [
"email",
"given_name,
"family_name"
],
github:[...]
}
});
The available fields are available on the server as Google.whitelistedFields.
You can take a look at the source of the MDG packages for more information.
Related
I am using Meteor user accounts api to create user accounts.
https://github.com/meteor-useraccounts/core/blob/master/Guide.md
How to add email restriction to particular domain such as only #mydomain.org so that only those users with the domain will be allowed to log into the system while other users with other domains such as #gmail.com would not be able to log into the system?
There is this (unfortunately) undocumented Accounts.config which is part of accounts-base. It allows you to set a email domain restriction for accounts creation. This your app won't allow any accounts to be created that are not part of this domain:
Put the following in server and client startup code to configure the accounts package:
Accounts.config({
restrictCreationByEmailDomain: 'mydomain.com'
})
The source documentation says on this particular option
#param {String | Function} options.restrictCreationByEmailDomain If set to a string, only allows new users if the domain part of their email address matches the string. If set to a function, only allows new users if the function returns true. The function is passed the full email address of the proposed new user. Works with password-based sign-in and external services that expose email addresses (Google, Facebook, GitHub). All existing users still can log in after enabling this option. Example: Accounts.config({ restrictCreationByEmailDomain: 'school.edu' }).
Source code of the Account.config method: https://github.com/meteor/meteor/blob/devel/packages/accounts-base/accounts_common.js#L170
I would recommend using accounts-password package to manage user creation and authentication.
With Accounts.createUser method you can easily create an user where you can apply any kind of check. In your case add a regex check to make sure the email address comes from your domain before calling the Account.createUser method.
I am using auth0 for authentication. I want to fetch all users including their roles. I generated token in auth0 and when I try to execute it in Postman or fiddler tool, Sometimes it's giving roles and sometimes not. Same thing is happening in application also.
If I add manually in app metadata in role property as below, Then information is coming.
{
"authorization": {
"groups": [
"Admins",
"Users"
],
"roles": [
"Admin"
],
"permissions": []
}
}
But I fill, that if I change in authorization tab, It should effect here also.
Below is my code,
var apiUser = new ManagementApiClient("<<Token>>", new Uri("https://<<Domain>>/api/v2"));
IPagedList<User> allUsers = await apiUser.Users.GetAllAsync();
Do I need to clear cache in auth0, If yes then how?
Based on the information you provided it seems that you're using the Auth0 Authorization extension to configure user role information.
If this is the case you should notice that the extension logic is run at login time by the means of a rule. When you have that extension installed you should also have a companion rule; in my account the rule is named auth0-authz and should be the same for your case assuming version 2.0 of the extension.
The impact of this is that the roles are surfaced at the user level at login time, so any changes to the configured roles will be seen next time the user logins.
Note: Since this logic is part of a rule it will only be executed in the context of a login. If users are added to or removed from a group this will only be reflected within Auth0 after this user logs in again (eg: in the user's app_metadata or when calling the /userinfo endpoint).
You're querying the users directly through Auth0 Management API which may lead to the situation where the roles currently stored at the user profile are not up-to-date. If you are seeing stale information then this might be the cause.
On the other hand if your problem is not exactly this one, please provide further information and if possible steps to reproduce. For example, do the roles information show for one user but not the other or does it show for user A in one response, but then if you make another request the response does not include role information for that same user A?
I was not using the authorisation extension, but rather the standard role. So I've had to create the below rule.
More info here : http://isbyr.com/return-user-roles-in-auth0/
function (user, context, callback) {
// Get the user roles from the Authorization context
const assignedRoles = (context.authorization || {}).roles;
// Update the user object.
user.rolez = assignedRoles;
callback(null, user, context);```
I have completed writing the login flow for a user that clicks on a linkedin button on the homepage. It takes them to the linkedin endpoint. The user signs into their linkedin account, my app receives the access_token which I use to get the users linkedin profile details, such as they full name, email address.
Now, how can I use this linkedin data, i.e., the users unique linkedin access_token, email address in order for the user to be 'logged' into the meteor app?
I do not want to use another package, I want to build this myself. I would like help to understand what I can do from this point please.
Is this what I need to set up once I have the access_token
Template.home.onRendered(function() {
})
Template.home.events({
'click #li-logo': function() {
Meteor.loginWithLinkedin();
}
})
I'm afraid implementing your own login system from scratch in Meteor is going to be too time consuming for you. Let me point out that one of the main reasons to use Meteor is to take advantage of the ease of app development it provides and the vast collection of available packages.
Anyway, if you really want to learn the inner workings of the login system and how a properly coded linkedin sign-in should work, the best possible thing to do is to look at the source code of the accounts-base and meteor-accounts-linkedin packages.
Configure your linkedin package this way (place this in a server-only block or file):
Meteor.startup(function() {
ServiceConfiguration.configurations.update(
{ "service": "linkedin" },
{
$set: {
"clientId": "<your client id>",
"secret": "<your secret>"
}
},
{ upsert: true }
);
});
HTH!
I've implemented my own user login and logout system by just setting a session variable and checking it in my main template so I will display a login screen if not logged in and display the app if I am logged in (this is typically how I did things with PHP).
I did this instead of using any of the built in user account systems because I needed to implement my own login password check to a legacy web service.
Because of this, it seems I'm running into trouble now because things like allow/deny rules for my file uploads don't seem to have the userId:
download: function (userId, doc) {
console.log("userId ", userId);
return true;
}
This prints : userId null
So, I'm unable to implement any logic here based upon whether the user is logged in or not.
So, is there a way for me to tell the meteor accounts system what my userId is when I perform my custom login? --- which I presume would then make it available here in the download allow/deny rule?
EDIT: I've had to implement a custom login handler with Accounts.registerLoginHandler. Doing this caused the meteor system to set the userId in the built in accounts system, which allowed it to be passed into the allow/deny functions... but my question still stands. I would like to know if there is a way to alternately provide some information (say, the values of a session variable) to these allow/deny rules instead of being limited to using the built in accounts system.
I read in the documentation that meteor support user authorizations on database level
how can I use it to prevent users from accessing Html pages when not logged on ?
is it possible ?
thanks
jean-louis
Yes, you can. Meteor 0.5.0 comes with a revised and fully loaded Accounts API. One way to enable access to this set of APIs in your app is to install the accounts-password package.
meteor add accounts-password
Manually create users using Accounts.createUser and log users in using Meteor.loginWithPassword (or one of many external authorization services available). Or just use the accounts-ui feature to handle the authentication stuff automatically using a built-in login UI.
Once authentication part has been implemented, restrict access to your webpage (or parts of it) using a condition like:
if (Meteor.user()) {
// do stuff
}
else {
$('body').html('<div class="error">You must be logged in to use this application!</div>');
}