From 40e45cab001e58835ff10e045a72bbead1c28c18 Mon Sep 17 00:00:00 2001 From: Emily Stark Date: Tue, 17 Jun 2014 15:33:00 -0700 Subject: [PATCH] more detail in History --- History.md | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/History.md b/History.md index ecc96433d8..e0ec79b0af 100644 --- a/History.md +++ b/History.md @@ -5,13 +5,30 @@ #### Meteor Accounts -* Migrate from SRP to bcrypt in `accounts-password`. Users will be - transparently upgraded when they log in. +* Switch `accounts-password` to use bcrypt to store passwords on the + server. (Previous versions of Meteor used a protocol called SRP.) + Users will be transparently transitioned when they log in. This + transition is one-way, so you cannot downgrade a production app once + you upgrade to 0.8.2. If you are maintaining an authenticating DDP + client: + - Clients that use the plaintext password login handler (i.e. call + the `login` method with argument `{ password: }`) will continue to work, but users will not be + transitioned from SRP to bcrypt when logging in with this login + handler. + - Clients that use SRP will no longer work. These clients should + instead directly call the `login` method, as in + `Meteor.loginWithPassword`. The argument to the `login` method + can be either: + - `{ password: <plaintext password> }`, or + - `{ password: { digest: <password hash>, algorithm: "sha-256" } }`, + where the password hash is the hex-encoded SHA256 hash of the + plaintext password. * Show the display name of the currently logged-in user after following a verification link or password reset link in `accounts-ui`. -* Add `userEmail` option to `Meteor.loginWithMeteorDeveloperAccount`. +* Add a `userEmail` option to `Meteor.loginWithMeteorDeveloperAccount`. * Ensure that the user object has updated token information before it is passed to email template functions. #2210