search

splendido / meteor-accounts-meld

Meteor package to meld user accounts registered with the same email address, or associate many different 3rd-party login services with the same user account.
http://test-accounts-meld.meteor.com/
98 stars 26 forks source link

do we need to 'pinEncryptedFieldsToUser' when moving services? #2

Open splendido opened 10 years ago

splendido commented 10 years ago

Looking at the accounts-base code, it seems that services' data is possibly added to the user object somehow encrypted with the user._id. See this:

https://github.com/meteor/meteor/blob/devel/packages/accounts-base/accounts_server.js#L1136

the function pinEncryptedFieldsToUser is defined here:

https://github.com/meteor/meteor/blob/devel/packages/accounts-base/accounts_server.js#L919

So the question is: when we merge to accounts moving services from one to another with someting like _.defaults(dst_user.services, src_user.services); is it fine or should we re-encrypt all services' data fields with the new dst_user._id?

...in any case, at the first log in using a particular service the above cited function will be re run and all service data re-encrypted!

So the actual question is: could it be that some particular service data field contains information that will be needed before the next log in with that service?

praneybehl commented 10 years ago

I believe, that re-encrypting the data would be a better option.

splendido commented 10 years ago

At the moment the function pinEncryptedFieldsToUser is not available from outside the accounts-base package, and this is why I'm not using it. At that time I was not so keen to copy the function over to accounts-meld, which would result harder to maintain... The solution would be asking to make it available as Accounts.pinEncryptedFieldsToUser but this would be useless to the most.

Actually I had no time to better investigate its functioning and everything is working good. Do you have a better idea about what is its aim?