Socket
Socket
Sign inDemoInstall

ddp-login

Package Overview
Dependencies
Maintainers
1
Versions
16
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

ddp-login - npm Package Compare versions

Comparing version 1.0.5 to 1.0.6

3

HISTORY.md

@@ -0,1 +1,4 @@

#### v1.0.6
* Updated dependencies
#### v1.0.5

@@ -2,0 +5,0 @@ * Updated dependencies

30

lib/index.js

@@ -1,5 +0,5 @@

// Generated by CoffeeScript 1.8.0
// Generated by CoffeeScript 1.9.2
(function() {
var DDP, async, attemptLogin, crypto, isEmail, login, loginWithAccount, loginWithEmail, loginWithToken, loginWithUsername, plaintextToDigest, read, tryOneAccount, tryOneEmail, tryOneToken, tryOneUser, userPrompt,
__slice = [].slice;
slice = [].slice;

@@ -15,4 +15,4 @@ read = require('read');

login = function() {
var cb, ddp, method, options, _i, _ref;
ddp = arguments[0], options = 3 <= arguments.length ? __slice.call(arguments, 1, _i = arguments.length - 1) : (_i = 1, []), cb = arguments[_i++];
var cb, ddp, i, method, options, ref;
ddp = arguments[0], options = 3 <= arguments.length ? slice.call(arguments, 1, i = arguments.length - 1) : (i = 1, []), cb = arguments[i++];
if (typeof cb !== 'function') {

@@ -24,3 +24,3 @@ throw new Error('Valid callback must be provided to ddp-login');

}
options = (_ref = options[0]) != null ? _ref : {};
options = (ref = options[0]) != null ? ref : {};
if (options.env == null) {

@@ -117,3 +117,3 @@ options.env = 'METEOR_TOKEN';

}
srpDigest = plaintextToDigest("" + details.identity + ":" + pass);
srpDigest = plaintextToDigest(details.identity + ":" + pass);
return ddp.call('login', [

@@ -148,4 +148,4 @@ {

loginWithUsername = function() {
var cb, ddp, options, password, username, _i;
ddp = arguments[0], username = arguments[1], password = arguments[2], options = 5 <= arguments.length ? __slice.call(arguments, 3, _i = arguments.length - 1) : (_i = 3, []), cb = arguments[_i++];
var cb, ddp, i, options, password, username;
ddp = arguments[0], username = arguments[1], password = arguments[2], options = 5 <= arguments.length ? slice.call(arguments, 3, i = arguments.length - 1) : (i = 3, []), cb = arguments[i++];
return attemptLogin(ddp, {

@@ -157,4 +157,4 @@ username: username

loginWithEmail = function() {
var cb, ddp, email, options, password, _i;
ddp = arguments[0], email = arguments[1], password = arguments[2], options = 5 <= arguments.length ? __slice.call(arguments, 3, _i = arguments.length - 1) : (_i = 3, []), cb = arguments[_i++];
var cb, ddp, email, i, options, password;
ddp = arguments[0], email = arguments[1], password = arguments[2], options = 5 <= arguments.length ? slice.call(arguments, 3, i = arguments.length - 1) : (i = 3, []), cb = arguments[i++];
return attemptLogin(ddp, {

@@ -166,4 +166,4 @@ email: email

loginWithAccount = function() {
var account, cb, ddp, options, password, _i;
ddp = arguments[0], account = arguments[1], password = arguments[2], options = 5 <= arguments.length ? __slice.call(arguments, 3, _i = arguments.length - 1) : (_i = 3, []), cb = arguments[_i++];
var account, cb, ddp, i, options, password;
ddp = arguments[0], account = arguments[1], password = arguments[2], options = 5 <= arguments.length ? slice.call(arguments, 3, i = arguments.length - 1) : (i = 3, []), cb = arguments[i++];
if (isEmail(account)) {

@@ -212,3 +212,3 @@ return loginWithEmail(ddp, account, password, options[0], function(err, tok) {

return async.series(readPrompts, function(err, res) {
var result, _ref, _ref1;
var ref, ref1, result;
if (err) {

@@ -218,4 +218,4 @@ cb(err);

result = {};
result.account = ((_ref = res.account) != null ? _ref[0] : void 0) || options.account;
result.pass = ((_ref1 = res.pass) != null ? _ref1[0] : void 0) || options.pass;
result.account = ((ref = res.account) != null ? ref[0] : void 0) || options.account;
result.pass = ((ref1 = res.pass) != null ? ref1[0] : void 0) || options.pass;
return cb(null, result);

@@ -222,0 +222,0 @@ });

22

package.json
{
"name": "ddp-login",
"version": "1.0.5",
"version": "1.0.6",
"description": "Login to a Meteor server via DDP and obtain an authentication token",
"main": "lib/index.js",
"dependencies": {
"ddp": "~0.9.1",
"read": "~1.0.5",
"async": "~0.9.0",
"yargs": "~1.3.3"
"ddp": "^0.11.0",
"read": "^1.0.5",
"async": "^0.9.0",
"yargs": "^3.9.0"
},
"devDependencies": {
"coffee-script": "~1.8.0",
"mocha": "~1.21.4",
"chai": "~1.10.0",
"rewire": "~2.1.0",
"sinon": "~1.10.3"
"coffee-script": "^1.9.2",
"mocha": "^2.2.4",
"chai": "^2.3.0",
"rewire": "^2.3.3",
"sinon": "^1.14.1"
},

@@ -37,3 +37,3 @@ "scripts": {

"engine": {
"node": ">=0.10.28"
"node": ">=0.10.36"
},

@@ -40,0 +40,0 @@ "readmeFilename": "README.md",

55

README.md
ddp-login
====================================
ddp-login is a node.js npm package providing a simple way to authenticate with a [Meteor](https://www.meteor.com/) server programmatically (as opposed to from within a browser) using the [DDP protocol](https://github.com/meteor/meteor/blob/master/packages/livedata/DDP.md). It provides both a Javascript API and a command-line tool that can be used from within your favorite shell.
ddp-login is a node.js npm package providing a simple way to authenticate with a [Meteor](https://www.meteor.com/) server programmatically (as opposed to from within a browser) using the [DDP protocol](https://github.com/meteor/meteor/blob/devel/packages/ddp/DDP.md). It provides both a Javascript API and a command-line tool that can be used from within your favorite shell.
ddp-login is built on top of the [ddp](https://www.npmjs.org/package/ddp) npm package and makes it easy to prompt a user for login credentials (based on e-mail or username), authenticate a DDP connection and then securely cache the resulting authentication token in the process environment. If a valid token is already present in the environment, then there is no need to prompt the user and reauthentication occurs transparently. Alternatively, the Javascript API may provide account credentials to avoid unwanted user prompts.
**NOTE:** As of Meteor v0.8.2, the Meteor account database and authentication methods have [changed significantly](https://github.com/meteor/meteor/blob/master/History.md#meteor-accounts). These changes have brought some potential compatibility issues:
* As of ddp-login v1.0.0, authenticating with a Meteor server older than v0.8.2 requires the `plaintext` option.
* For servers v0.8.2 or newer, accounts created on older versions of Meteor will be automatically migrated to the new "BCrypt" account type on first login (either using the Meteor Client or this package.)
* As long as you are only using pre-v0.8.2 servers, you may want to continue to use ddp-login v0.1.x, (available from npm using `ddp-login@SRP`) which will continue to fully support the old account types and SRP based login protocol.
## Security
The `plaintext` fallback is insecure on the wire (when not using SSL encryption), which is why it is not enabled by default. The new default remote login scheme for Meteor transmits the [SHA256 digest](https://en.wikipedia.org/wiki/SHA256) of the password, which is somewhat more secure for strong passwords, but which is still vulnerable to replay attacks. For these reasons, it is strongly advised that you use SSL encrypted DDP connections for all authentication requests that traverse untrusted networks.
The current secure remote login scheme for Meteor transmits the [SHA256 digest](https://en.wikipedia.org/wiki/SHA256) of the user's password, which is somewhat more secure than plaintext for strong passwords, however this approach is still vulnerable to replay attacks. For these reasons, it is strongly advised that you use SSL encrypted DDP connections for all authentication requests that traverse untrusted networks.

@@ -27,6 +24,7 @@ ## Installation

# To install ddp-login for the old SRP style authentication:
# To install ddp-login for the old pre-0.8.2 Meteor SRP style authentication:
npm install ddp-login@SRP
# or
npm -g install ddp-login@SRP
# See note at end of this README for more info!
```

@@ -46,2 +44,22 @@

### From the command shell
Here's how to securely set an environment variable with an authentication token that can be used by other programs to avoid a user having to repeatedly enter credentials at the shell.
```bash
# Create an environment variable containing a valid authToken,
# prompting for account credentials only if necessary.
export METEOR_TOKEN=$(ddp-login --host 127.0.0.1 \
--port 3000 \
--env METEOR_TOKEN \
--method account \
--retry 5)
## Get full command line help for all options:
ddp-login --help
```
The above will only work if `ddp-login` was installed with the `npm -g` option, or if it is run directly using node.js.
Note: for security reasons, there is no way to pass the account credentials on the command line, as such credentials would be visible to all users of a machine in the process status.
### In node.js

@@ -125,20 +143,9 @@

### From the command shell
## Note about compatibility with pre-0.8.2 versions of Meteor
Here's how to securely set an environment variable with an authentication token that can be used by other programs to avoid a user having to repeatedly enter credentials at the shell.
As of Meteor v0.8.2, the Meteor account database and authentication methods have [changed significantly](https://github.com/meteor/meteor/blob/master/History.md#meteor-accounts-3). These changes have brought some potential compatibility issues:
* As of ddp-login v1.0.0, authenticating with a Meteor server older than v0.8.2 requires the `plaintext` option.
* For servers v0.8.2 or newer, accounts created on older versions of Meteor will be automatically migrated to the new "BCrypt" account type on first login (either using the Meteor Client or this package.)
* As long as you are only using pre-v0.8.2 servers, you may want to continue to use ddp-login v0.1.x, (available from npm using `ddp-login@SRP`) which will continue to fully support the old account types and SRP based login protocol.
```bash
# Create an environment variable containing a valid authToken,
# prompting for account credentials only if necessary.
export METEOR_TOKEN=$(ddp-login --host 127.0.0.1 \
--port 3000 \
--env METEOR_TOKEN \
--method account \
--retry 5)
## Get command line help
ddp-login --help
```
The above will only work if `ddp-login` was installed with the `npm -g` option, or if it is run directly using node.js.
Note: for security reasons, there is no way to pass the account credentials on the command line, as such credentials would be visible to all users of a machine in the process status.
The `plaintext` fallback is insecure on the wire (when not using SSL encryption), which is why it is not enabled by default. 
LICENSE

Sorry, the diff of this file is not supported yet

test/index.coffee

Sorry, the diff of this file is not supported yet

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc