API to set autoLoginEnabled

[mitar]

I am using iron-router to intercept reset password and enroll account URLs. The issue is that there is no easy way to assure that user if not logged in when they access reset password or enroll account URLs. I am currently forcing users to logout in route controller, but that is ugly.

Related: meteor/meteor#2803

[zimme]

In iron-router-auth I have a hook noAuth which I use in the plugin on the login and enroll route's to make sure these routes are only run if you aren't already logged in. If you are logged in you're redirected to the dashboard instead.

As for reset password, does it really matter that you can reset your password even if you're logged in?

[mitar]

Maybe it is not you who is logged in at that browser. It is strange to popup window for reset while some other user is logged in. Also, it is not just reset password. It is also invite dialog which works the same.

I think this is bad. Currently, you have to logout, but that means that Meteor first logged you in before you log out. It would be better if you could simply prevent logging in in the first place.

[splendido]

The thing is that when you call Accounts.resetPassword, no matter who is the currently logged in user, the user associated with the token you pass in gets logged in straight on (possibly logging out the previous one).

How you manage it on the UI is separate stuff.
You can set some redirect based on the current status, but you should not prevent the reset-password route to work correctly if a user is already logged in!
I think useraccounts is doing a good job with this...

So, would you like your autoLoginEnabled to work on specific routes?
...lets consider Meteor has no built in routing mechanisms

Otherwise you can set a very brief expiration time for resume tokens and ensure no user is logged back in on new connections.
See loginExpirationInDays among the Accounts configuration options.
I'm not sure whether you can set the expiration time to zero days...
might this be the real point of this discussion?

...you can set loginExpirationInDays to null to disable resume token expiration, I guess you can set it to 1, but is it possible to set it to 0 to disable login resume?

[avital]

If you use the core APIs (eg Accounts.onEmailVerificationLink, auto-login is deferred until you call the done callback. Does this solve your problem?

[mitar]

No. Because onEmailVerificationLink is called only if the link is formatted in the format core API expects. I would like to use different format and use iron-router to intercept it, render proper templates, display a dialog, and then continue.

[avital]

Hmm. Interesting. /cc @sashko we might want to expose autoLoginEnabled

[mitar]

Yes! Please! :-)

[jedwards1211]

I suppose one hack would be to just run localStorage.removeItem(Accounts.LOGIN_TOKEN_KEY) after a successful login.