Fog of Code

The methods I suggest in this post may be insecure, unethical in some cases or maybe just a bad programming practice. But it does come handy sometimes (debugging), and all I want is to demonstrate how this can be done. So here is a scenario: You want to see how a user sees a Meteor app from his user account. We could simply login as that user but we don’t know his password, which is good. So what can we do?

We could change forcefully change the current user on the server using:

Meteor.methods(
  "switchUser": (username) ->
    user = Meteor.users.findOne("username": username)
    if user
      idUser = user["_id"]
      this.setUserId(idUser)
      return idUser
)

Don’t forget to limit access to this method so only administrators can call it!

However, this isn’t enough. It appears that the user is changed only on the server and the client thinks we are still using the admin account. This affects every section of the code that is user specific. So we need to tell Meteor client that we changed the user. One way of doing it is by changing the Meteor.userId() function in the remote method callback:

Meteor.call("switchUser", "usernameNew", function(error, idUser) {
    Meteor.userId = function() { return idUser;};
});

To get back to the admin account, simply refresh the browser. It would initiate a new connection to the server invalidating the setUserId() we used earlier. It would also revert overriding client-side Meteor.userId().

Although it works, something here doesn’t feel right. Let me know if you have a better way of doing it.