"Incorrect password" when trying to login with pre-existing meteor accounts

[acomito]

I'm trying to connect a new nodejs application that uses accountsjs to an old database that was previously powered by a meteor application.

When I try to login to an old account, I am getting "Incorrect password", even though I'm positive the password is correct (I verified on an old meteor app version that's still running).

Is this something related to

hashPassword?: (password: string) => Promise<string>;
verifyPassword?: (password: string, hash: string) => Promise<boolean>;

Right now I have this

    db: new MongoDBInterface(db, {
      convertUserIdToMongoObjectId: false,
      convertSessionIdToMongoObjectId: false,
    }),

const password = new AccountsPassword({
  returnTokensAfterResetPassword: true,
  // hashPassword: (password) => argon2.hash("password")
  // verifyPassword: (password, hash) => argon2.verify(hash, password),
});

I was under the impressions accountsjs and meteor both use SHA256 but I'm very knowledgeable on the subject... looking at accountjs source it seems my password check is failing here

const isPasswordValid = await this.options.verifyPassword(password, hash);

@stolinski @lorensr did you guys ever get your old meteor accounts working?

Some related reading/issues

• https://github.com/accounts-js/accounts/pull/898
• https://github.com/accounts-js/accounts/issues/803
• https://github.com/accounts-js/accounts/issues/385
• https://stackoverflow.com/questions/41246154/how-to-decrypt-password-in-meteor
• https://stackoverflow.com/questions/49535864/bcrypt-between-node-and-meteor-servers-invalid-compare
• https://github.com/meteor/meteor/blob/devel/packages/sha/sha256.js
• https://github.com/accounts-js/accounts/blob/0abf18649eddeeb17152caa5e30fdbbfc2c5bf99/packages/password/src/utils/encryption.ts
• https://github.com/accounts-js/accounts/blob/0abf18649eddeeb17152caa5e30fdbbfc2c5bf99/packages/password/src/accounts-password.ts#L704

[pradel]

Which version of accounts-js are you using? I think you will need to apply the following client side (as meteor password are hashed client side first) https://www.accountsjs.com/docs/strategies/password-client#hashing-the-password-client-side

[acomito]

    "@accounts/graphql-api": "^0.29.0",
    "@accounts/mongo": "^0.29.0",
    "@accounts/password": "^0.29.0",
    "@accounts/server": "^0.29.0",

I'll try hashing it client side and report back

[acomito]

it worked! Thanks.

[pradel]

@acomito do you have a list of all the changes you had to do to make it work with meteor? Would be nice to have in order to setup a guide on the website :)

[acomito]

I will put something together

[acomito]

@pradel

It ended up being really simple... mostly convertUserIdToMongoObjectId and then hashing the password on the frontend.

https://gist.github.com/acomito/b6969d6121254eeffa54be431a3f2262

Maybe the only additional note is that if you insert/create users programmatically anywhere on the backend, you have to make sure you're creating them with the meteor-style _ids

If I notice any other requirements, I'll let you know