Skip to main content

Overview

Meteor’s accounts system provides a secure, full-featured authentication framework built on top of the DDP protocol. The accounts-base package forms the foundation, with additional packages adding specific login methods.

Core Concepts

userId in DDP

DDP (Distributed Data Protocol) has built-in support for user authentication. Every DDP connection tracks a userId field, which is automatically available in:
  • Methods: Access via this.userId
  • Publications: Access via this.userId
  • Client: Access via Meteor.userId() and Meteor.user()

The accounts-base Package

The accounts-base package provides:
  1. Users Collection: Access via Meteor.users with a standard schema
  2. Authentication API: Methods for login, logout, and user validation
  3. Login Handler Registration: API for adding custom authentication methods
  4. Client Singletons: Meteor.userId() and Meteor.user()
The accounts-base package is automatically included when you add any accounts-related package like accounts-password.

Password Authentication

Add password authentication to your app:

Creating Users

Validating New Users

Always validate new users on the server:

Case Sensitivity

Meteor handles email/username case-insensitivity automatically. Always use these methods to query users:

Email Workflows

Sending Account Emails

Customizing Email Templates

Customizing Email URLs

OAuth Providers

Meteor supports multiple OAuth providers:

Configuring OAuth

Account Configuration

Custom User Data

Adding Fields to Users

Publishing User Data

Login Hooks

Security Best Practices

Never trust client data. Always validate and check permissions on the server.

Rate Limiting Login Attempts

Meteor includes built-in rate limiting for password login to prevent brute-force attacks:

Securing User Documents