Meteor: How to create a user account on the server without sending plain text password over the wire?

Question

I am creating an admin interface and the admin needs the ability to create user accounts, pick and change the password.

If I try to call Account.createUser on the Client, it automatically logs the user in as the new user, which is what I do not want.

An approach that will work but I am afraid might be insecure is:

1. Call a server side Meteor method with the username and password for the new account that the admin has picked.

2. On the server I can use Accounts.createUser to create the new user with password and it will return the new UserId.

But with this approach I am sending the password in plain text over the wire. We could use https and ssl and I think we will be safe, but is there a more secure way to do this?

Answer 1

A much better practice which avoids any user knowing any other user's password is to create the account on the server (as you suggested) but don't specify a password, instead let the user pick it later. From the docs

Call createUser with the email option and then call Accounts.sendEnrollmentEmail. This will send the user an email with a link to set their initial password.