From 5def0ac65ff3460015e12399fbff642a5e9321b0 Mon Sep 17 00:00:00 2001
From: Nick Martin <nim@meteor.com>
Date: Wed, 26 Sep 2012 15:35:25 -0700
Subject: [PATCH] Add 'Meteor.setPassword' on the server. Relax constraints
 around setting an initial password for users.

---
 .../accounts-password/passwords_server.js     | 34 ++++++++++++++-----
 packages/accounts-password/passwords_tests.js | 30 ++++++++++++++++
 2 files changed, 55 insertions(+), 9 deletions(-)

diff --git a/packages/accounts-password/passwords_server.js b/packages/accounts-password/passwords_server.js
index c8e73237c7..530e73763a 100644
--- a/packages/accounts-password/passwords_server.js
+++ b/packages/accounts-password/passwords_server.js
@@ -304,6 +304,15 @@
   });
 
 
+  Meteor.setPassword = function (userId, newPassword) {
+    var user = Meteor.users.findOne(userId);
+    if (!user)
+      throw new Meteor.Error(403, "User not found");
+    var newVerifier = Meteor._srp.generateVerifier(newPassword);
+
+    Meteor.users.update({_id: user._id}, {
+      $set: {'services.password.srp': newVerifier}});
+  };
 
 
   ////////////
@@ -388,20 +397,27 @@
       extra = {};
     }
 
-    // XXX relax these constraints!
-
+    // XXX allow an optional callback?
     if (callback) {
       throw new Error("Meteor.createUser with callback not supported on the server yet.");
     }
 
-    if (options.password || options.srp)
-      throw new Error("Meteor.createUser on the server does not let you set a password yet.");
-
-    if (!options.email)
-      throw new Error("Meteor.createUser on the server requires email.");
-
     var userId = createUser(options, extra);
-    Meteor.accounts.sendEnrollmentEmail(userId, options.email);
+
+    // send email if the user has an email and no password
+    var user = Meteor.users.findOne(userId);
+    if (
+        // user has email address
+      (user && user.emails && user.emails.length &&
+       user.emails[0].address) &&
+        // and does not have a password
+      !(user.services && user.services.password &&
+        user.services.password.srp)) {
+
+      var email = user.emails[0].address;
+      Meteor.accounts.sendEnrollmentEmail(userId, email);
+    }
+
     return userId;
   };
 
diff --git a/packages/accounts-password/passwords_tests.js b/packages/accounts-password/passwords_tests.js
index 7289de3373..9c09920905 100644
--- a/packages/accounts-password/passwords_tests.js
+++ b/packages/accounts-password/passwords_tests.js
@@ -204,6 +204,36 @@ if (Meteor.isServer) (function () {
     });
 
 
+  Tinytest.add(
+    'passwords - setPassword',
+    function (test) {
+      var username = Meteor.uuid();
+
+      var userId = Meteor.createUser({username: username}, {});
+
+      var user = Meteor.users.findOne(userId);
+      // no services yet.
+      test.equal(user.services.password, undefined);
+
+      // set a new password.
+      Meteor.setPassword(userId, 'new password');
+      user = Meteor.users.findOne(userId);
+      var oldVerifier = user.services.password.srp;
+      test.isTrue(user.services.password.srp);
+
+      // reset with the same password, see we get a different verifier
+      Meteor.setPassword(userId, 'new password');
+      user = Meteor.users.findOne(userId);
+      var newVerifier = user.services.password.srp;
+      test.notEqual(oldVerifier.salt, newVerifier.salt);
+      test.notEqual(oldVerifier.identity, newVerifier.identity);
+      test.notEqual(oldVerifier.verifier, newVerifier.verifier);
+
+      // cleanup
+      Meteor.users.remove(userId);
+    });
+
+
 
   // XXX would be nice to test Meteor.accounts.config({forbidSignups: true})
 }) ();