Comparing version 1.0.5 to 1.0.6
@@ -0,1 +1,4 @@ | ||
#### v1.0.6 | ||
* Updated dependencies | ||
#### v1.0.5 | ||
@@ -2,0 +5,0 @@ * Updated dependencies |
@@ -1,5 +0,5 @@ | ||
// Generated by CoffeeScript 1.8.0 | ||
// Generated by CoffeeScript 1.9.2 | ||
(function() { | ||
var DDP, async, attemptLogin, crypto, isEmail, login, loginWithAccount, loginWithEmail, loginWithToken, loginWithUsername, plaintextToDigest, read, tryOneAccount, tryOneEmail, tryOneToken, tryOneUser, userPrompt, | ||
__slice = [].slice; | ||
slice = [].slice; | ||
@@ -15,4 +15,4 @@ read = require('read'); | ||
login = function() { | ||
var cb, ddp, method, options, _i, _ref; | ||
ddp = arguments[0], options = 3 <= arguments.length ? __slice.call(arguments, 1, _i = arguments.length - 1) : (_i = 1, []), cb = arguments[_i++]; | ||
var cb, ddp, i, method, options, ref; | ||
ddp = arguments[0], options = 3 <= arguments.length ? slice.call(arguments, 1, i = arguments.length - 1) : (i = 1, []), cb = arguments[i++]; | ||
if (typeof cb !== 'function') { | ||
@@ -24,3 +24,3 @@ throw new Error('Valid callback must be provided to ddp-login'); | ||
} | ||
options = (_ref = options[0]) != null ? _ref : {}; | ||
options = (ref = options[0]) != null ? ref : {}; | ||
if (options.env == null) { | ||
@@ -117,3 +117,3 @@ options.env = 'METEOR_TOKEN'; | ||
} | ||
srpDigest = plaintextToDigest("" + details.identity + ":" + pass); | ||
srpDigest = plaintextToDigest(details.identity + ":" + pass); | ||
return ddp.call('login', [ | ||
@@ -148,4 +148,4 @@ { | ||
loginWithUsername = function() { | ||
var cb, ddp, options, password, username, _i; | ||
ddp = arguments[0], username = arguments[1], password = arguments[2], options = 5 <= arguments.length ? __slice.call(arguments, 3, _i = arguments.length - 1) : (_i = 3, []), cb = arguments[_i++]; | ||
var cb, ddp, i, options, password, username; | ||
ddp = arguments[0], username = arguments[1], password = arguments[2], options = 5 <= arguments.length ? slice.call(arguments, 3, i = arguments.length - 1) : (i = 3, []), cb = arguments[i++]; | ||
return attemptLogin(ddp, { | ||
@@ -157,4 +157,4 @@ username: username | ||
loginWithEmail = function() { | ||
var cb, ddp, email, options, password, _i; | ||
ddp = arguments[0], email = arguments[1], password = arguments[2], options = 5 <= arguments.length ? __slice.call(arguments, 3, _i = arguments.length - 1) : (_i = 3, []), cb = arguments[_i++]; | ||
var cb, ddp, email, i, options, password; | ||
ddp = arguments[0], email = arguments[1], password = arguments[2], options = 5 <= arguments.length ? slice.call(arguments, 3, i = arguments.length - 1) : (i = 3, []), cb = arguments[i++]; | ||
return attemptLogin(ddp, { | ||
@@ -166,4 +166,4 @@ email: email | ||
loginWithAccount = function() { | ||
var account, cb, ddp, options, password, _i; | ||
ddp = arguments[0], account = arguments[1], password = arguments[2], options = 5 <= arguments.length ? __slice.call(arguments, 3, _i = arguments.length - 1) : (_i = 3, []), cb = arguments[_i++]; | ||
var account, cb, ddp, i, options, password; | ||
ddp = arguments[0], account = arguments[1], password = arguments[2], options = 5 <= arguments.length ? slice.call(arguments, 3, i = arguments.length - 1) : (i = 3, []), cb = arguments[i++]; | ||
if (isEmail(account)) { | ||
@@ -212,3 +212,3 @@ return loginWithEmail(ddp, account, password, options[0], function(err, tok) { | ||
return async.series(readPrompts, function(err, res) { | ||
var result, _ref, _ref1; | ||
var ref, ref1, result; | ||
if (err) { | ||
@@ -218,4 +218,4 @@ cb(err); | ||
result = {}; | ||
result.account = ((_ref = res.account) != null ? _ref[0] : void 0) || options.account; | ||
result.pass = ((_ref1 = res.pass) != null ? _ref1[0] : void 0) || options.pass; | ||
result.account = ((ref = res.account) != null ? ref[0] : void 0) || options.account; | ||
result.pass = ((ref1 = res.pass) != null ? ref1[0] : void 0) || options.pass; | ||
return cb(null, result); | ||
@@ -222,0 +222,0 @@ }); |
{ | ||
"name": "ddp-login", | ||
"version": "1.0.5", | ||
"version": "1.0.6", | ||
"description": "Login to a Meteor server via DDP and obtain an authentication token", | ||
"main": "lib/index.js", | ||
"dependencies": { | ||
"ddp": "~0.9.1", | ||
"read": "~1.0.5", | ||
"async": "~0.9.0", | ||
"yargs": "~1.3.3" | ||
"ddp": "^0.11.0", | ||
"read": "^1.0.5", | ||
"async": "^0.9.0", | ||
"yargs": "^3.9.0" | ||
}, | ||
"devDependencies": { | ||
"coffee-script": "~1.8.0", | ||
"mocha": "~1.21.4", | ||
"chai": "~1.10.0", | ||
"rewire": "~2.1.0", | ||
"sinon": "~1.10.3" | ||
"coffee-script": "^1.9.2", | ||
"mocha": "^2.2.4", | ||
"chai": "^2.3.0", | ||
"rewire": "^2.3.3", | ||
"sinon": "^1.14.1" | ||
}, | ||
@@ -37,3 +37,3 @@ "scripts": { | ||
"engine": { | ||
"node": ">=0.10.28" | ||
"node": ">=0.10.36" | ||
}, | ||
@@ -40,0 +40,0 @@ "readmeFilename": "README.md", |
ddp-login | ||
==================================== | ||
ddp-login is a node.js npm package providing a simple way to authenticate with a [Meteor](https://www.meteor.com/) server programmatically (as opposed to from within a browser) using the [DDP protocol](https://github.com/meteor/meteor/blob/master/packages/livedata/DDP.md). It provides both a Javascript API and a command-line tool that can be used from within your favorite shell. | ||
ddp-login is a node.js npm package providing a simple way to authenticate with a [Meteor](https://www.meteor.com/) server programmatically (as opposed to from within a browser) using the [DDP protocol](https://github.com/meteor/meteor/blob/devel/packages/ddp/DDP.md). It provides both a Javascript API and a command-line tool that can be used from within your favorite shell. | ||
ddp-login is built on top of the [ddp](https://www.npmjs.org/package/ddp) npm package and makes it easy to prompt a user for login credentials (based on e-mail or username), authenticate a DDP connection and then securely cache the resulting authentication token in the process environment. If a valid token is already present in the environment, then there is no need to prompt the user and reauthentication occurs transparently. Alternatively, the Javascript API may provide account credentials to avoid unwanted user prompts. | ||
**NOTE:** As of Meteor v0.8.2, the Meteor account database and authentication methods have [changed significantly](https://github.com/meteor/meteor/blob/master/History.md#meteor-accounts). These changes have brought some potential compatibility issues: | ||
* As of ddp-login v1.0.0, authenticating with a Meteor server older than v0.8.2 requires the `plaintext` option. | ||
* For servers v0.8.2 or newer, accounts created on older versions of Meteor will be automatically migrated to the new "BCrypt" account type on first login (either using the Meteor Client or this package.) | ||
* As long as you are only using pre-v0.8.2 servers, you may want to continue to use ddp-login v0.1.x, (available from npm using `ddp-login@SRP`) which will continue to fully support the old account types and SRP based login protocol. | ||
## Security | ||
The `plaintext` fallback is insecure on the wire (when not using SSL encryption), which is why it is not enabled by default. The new default remote login scheme for Meteor transmits the [SHA256 digest](https://en.wikipedia.org/wiki/SHA256) of the password, which is somewhat more secure for strong passwords, but which is still vulnerable to replay attacks. For these reasons, it is strongly advised that you use SSL encrypted DDP connections for all authentication requests that traverse untrusted networks. | ||
The current secure remote login scheme for Meteor transmits the [SHA256 digest](https://en.wikipedia.org/wiki/SHA256) of the user's password, which is somewhat more secure than plaintext for strong passwords, however this approach is still vulnerable to replay attacks. For these reasons, it is strongly advised that you use SSL encrypted DDP connections for all authentication requests that traverse untrusted networks. | ||
@@ -27,6 +24,7 @@ ## Installation | ||
# To install ddp-login for the old SRP style authentication: | ||
# To install ddp-login for the old pre-0.8.2 Meteor SRP style authentication: | ||
npm install ddp-login@SRP | ||
# or | ||
npm -g install ddp-login@SRP | ||
# See note at end of this README for more info! | ||
``` | ||
@@ -46,2 +44,22 @@ | ||
### From the command shell | ||
Here's how to securely set an environment variable with an authentication token that can be used by other programs to avoid a user having to repeatedly enter credentials at the shell. | ||
```bash | ||
# Create an environment variable containing a valid authToken, | ||
# prompting for account credentials only if necessary. | ||
export METEOR_TOKEN=$(ddp-login --host 127.0.0.1 \ | ||
--port 3000 \ | ||
--env METEOR_TOKEN \ | ||
--method account \ | ||
--retry 5) | ||
## Get full command line help for all options: | ||
ddp-login --help | ||
``` | ||
The above will only work if `ddp-login` was installed with the `npm -g` option, or if it is run directly using node.js. | ||
Note: for security reasons, there is no way to pass the account credentials on the command line, as such credentials would be visible to all users of a machine in the process status. | ||
### In node.js | ||
@@ -125,20 +143,9 @@ | ||
### From the command shell | ||
## Note about compatibility with pre-0.8.2 versions of Meteor | ||
Here's how to securely set an environment variable with an authentication token that can be used by other programs to avoid a user having to repeatedly enter credentials at the shell. | ||
As of Meteor v0.8.2, the Meteor account database and authentication methods have [changed significantly](https://github.com/meteor/meteor/blob/master/History.md#meteor-accounts-3). These changes have brought some potential compatibility issues: | ||
* As of ddp-login v1.0.0, authenticating with a Meteor server older than v0.8.2 requires the `plaintext` option. | ||
* For servers v0.8.2 or newer, accounts created on older versions of Meteor will be automatically migrated to the new "BCrypt" account type on first login (either using the Meteor Client or this package.) | ||
* As long as you are only using pre-v0.8.2 servers, you may want to continue to use ddp-login v0.1.x, (available from npm using `ddp-login@SRP`) which will continue to fully support the old account types and SRP based login protocol. | ||
```bash | ||
# Create an environment variable containing a valid authToken, | ||
# prompting for account credentials only if necessary. | ||
export METEOR_TOKEN=$(ddp-login --host 127.0.0.1 \ | ||
--port 3000 \ | ||
--env METEOR_TOKEN \ | ||
--method account \ | ||
--retry 5) | ||
## Get command line help | ||
ddp-login --help | ||
``` | ||
The above will only work if `ddp-login` was installed with the `npm -g` option, or if it is run directly using node.js. | ||
Note: for security reasons, there is no way to pass the account credentials on the command line, as such credentials would be visible to all users of a machine in the process status. | ||
The `plaintext` fallback is insecure on the wire (when not using SSL encryption), which is why it is not enabled by default. |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
48535
149
+ Addedansi-regex@2.1.1(transitive)
+ Addedasn1@0.1.11(transitive)
+ Addedassert-plus@0.1.5(transitive)
+ Addedaws-sign2@0.5.0(transitive)
+ Addedbl@0.9.5(transitive)
+ Addedboom@2.10.1(transitive)
+ Addedcamelcase@2.1.1(transitive)
+ Addedcaseless@0.9.0(transitive)
+ Addedcliui@3.2.0(transitive)
+ Addedcode-point-at@1.1.0(transitive)
+ Addedcombined-stream@0.0.7(transitive)
+ Addedcore-util-is@1.0.3(transitive)
+ Addedcryptiles@2.0.5(transitive)
+ Addedctype@0.5.3(transitive)
+ Addedddp@0.11.0(transitive)
+ Addeddecamelize@1.2.0(transitive)
+ Addeddelayed-stream@0.0.5(transitive)
+ Addedfaye-websocket@0.9.4(transitive)
+ Addedforever-agent@0.5.2(transitive)
+ Addedform-data@0.2.0(transitive)
+ Addedhawk@2.3.1(transitive)
+ Addedhoek@2.16.3(transitive)
+ Addedhttp-signature@0.10.1(transitive)
+ Addedinherits@2.0.4(transitive)
+ Addedinvert-kv@1.0.0(transitive)
+ Addedis-fullwidth-code-point@1.0.0(transitive)
+ Addedisarray@0.0.1(transitive)
+ Addedisstream@0.1.2(transitive)
+ Addedjson-stringify-safe@5.0.1(transitive)
+ Addedlcid@1.0.0(transitive)
+ Addedmime-db@1.12.0(transitive)
+ Addedmime-types@2.0.14(transitive)
+ Addednode-uuid@1.4.8(transitive)
+ Addednumber-is-nan@1.0.1(transitive)
+ Addedoauth-sign@0.6.0(transitive)
+ Addedos-locale@1.4.0(transitive)
+ Addedqs@2.3.3(transitive)
+ Addedreadable-stream@1.0.34(transitive)
+ Addedrequest@2.53.0(transitive)
+ Addedsntp@1.0.9(transitive)
+ Addedstring-width@1.0.2(transitive)
+ Addedstring_decoder@0.10.31(transitive)
+ Addedstringstream@0.0.6(transitive)
+ Addedstrip-ansi@3.0.1(transitive)
+ Addedtldts@6.1.52(transitive)
+ Addedtldts-core@6.1.52(transitive)
+ Addedtough-cookie@5.0.0(transitive)
+ Addedtunnel-agent@0.4.3(transitive)
+ Addedwindow-size@0.1.4(transitive)
+ Addedwrap-ansi@2.1.0(transitive)
+ Addedy18n@3.2.2(transitive)
+ Addedyargs@3.32.0(transitive)
- Removedddp@0.9.4(transitive)
- Removedfaye-websocket@0.7.3(transitive)
- Removedyargs@1.3.3(transitive)
Updatedasync@^0.9.0
Updatedddp@^0.11.0
Updatedread@^1.0.5
Updatedyargs@^3.9.0