Overview
Meteor’s accounts system provides a secure, full-featured authentication framework built on top of the DDP protocol. The accounts-base package forms the foundation, with additional packages adding specific login methods.
Core Concepts
userId in DDP
DDP (Distributed Data Protocol) has built-in support for user authentication. Every DDP connection tracks a userId field, which is automatically available in:
- Methods: Access via
this.userId
- Publications: Access via
this.userId
- Client: Access via
Meteor.userId() and Meteor.user()
The accounts-base Package
The accounts-base package provides:
- Users Collection: Access via
Meteor.users with a standard schema
- Authentication API: Methods for login, logout, and user validation
- Login Handler Registration: API for adding custom authentication methods
- Client Singletons:
Meteor.userId() and Meteor.user()
The accounts-base package is automatically included when you add any accounts-related package like accounts-password.
Password Authentication
Add password authentication to your app:
Creating Users
Validating New Users
Always validate new users on the server:
Case Sensitivity
Meteor handles email/username case-insensitivity automatically. Always use these methods to query users:
Email Workflows
Sending Account Emails
Customizing Email Templates
Customizing Email URLs
Handling Email Links on the Client
OAuth Providers
Meteor supports multiple OAuth providers:
Configuring OAuth
Account Configuration
Custom User Data
Adding Fields to Users
Publishing User Data
Login Hooks
Security Best Practices
Never trust client data. Always validate and check permissions on the server.
Rate Limiting Login Attempts
Meteor includes built-in rate limiting for password login to prevent brute-force attacks:
Securing User Documents