1

I'm new to meteor and I've reading a lot however I'm a little confused around the meteor.users collection and the best way to use it. My interpretation of the best practice guide is that meteor.users collection should only be used for managing the accounts.ui package; email, password and username. The guide states that profile is insecure, a flaw in the original meteor design and should not be used.

So my question is, if I want to create a user profile that contains things like first name, last name, age, address, avatar etc do I create a separate collection like 'userProfile' and link it using the meteor.userid or am I suppose to keep it in the meteor.users collection somehow

Michel Floyd
  • 18,793
  • 4
  • 24
  • 39
bp123
  • 3,217
  • 8
  • 35
  • 74

1 Answers1

1

Common practice is to put user profile information such as the kind you're describing into Meteor.user().profile. In fact people often do much more, for example memberships in groups, arrays of postIds, all kinds of things. Keeping a separate 1:1 profile collection is an option but there's no fundamental reason to do so that I can think of. On the contrary it makes things just a bit more complicated.

Update: As @jonatan points out in the comments, the Meteor Guide has now unrecommended the use of the profile field in the user document.

Instead they recommend storing custom user information as top-level keys in the user document. This is not only more secure but also more performant since incremental updates can get published over DDP on top-level keys but on sub-keys.

Meteor.user().profile is always auto-published for the current user even after the autopublish package has been removed. Information about other users is not published at all unless you explicitly setup a publication. In that case care must be taken to only publish those fields that should be visible to other users. For example you may only want to publish the usernames of other users and not their email addresses for privacy. You would do this with:

 Meteor.publish('otherUsers',function(){
   return Meteor.users.find({},{ fields: { 'profile.username': 1 }});
 });

You might also restrict the set of other users that is published based on them being connected in some way to the current user to avoid publishing all users all the time.

You should also avoid publishing the services key which contains security information about the user (ex: the bcrypt of their password). As @David Weldon points out in the comments, you shouldn't put other security information in the profile either and you probably want a deny rule on the user modifying their own profile from the client.

Michel Floyd
  • 18,793
  • 4
  • 24
  • 39
  • 2
    The main reason `profile` has issues is that it's editable by default even if `insecure` has been removed. If developers don't know this, it can lead to serious security issues where authorization data is stored in the profile. – David Weldon Jan 20 '16 at 00:23
  • Is it editable for users other than the current user? What if your allow/deny rules deny all updates to the user document? I agree that it's no place for security info. – Michel Floyd Jan 20 '16 at 00:26
  • 1
    It's only writable by the current user, but if the server believes that superusers are any users with `profile.isSuperuser` set then you have a problem. You can solve it with a simple `deny` rule. See the first item in [common mistakes](https://dweldon.silvrback.com/common-mistakes). – David Weldon Jan 20 '16 at 00:29
  • Thanks to all the replies. Michel's response really makes things much clearer. Thanks again! – bp123 Jan 20 '16 at 01:17
  • By the way I asked this question on the meteor forum and because your post was very helpful I copied/pasted it in there. I've referenced you and your response, so people should know it has come from you. If I'm suppose to do more let me know. Im just learning. Thanks again! – bp123 Jan 20 '16 at 03:11
  • Thanks! You should give props to David as well. – Michel Floyd Jan 20 '16 at 03:31
  • Thanks to you too David. I need to look into assigning roles to understand how that will affect things. Do you recommend using alanning roles? – bp123 Jan 20 '16 at 10:52
  • The Meteor docs now say [Don't use profile](https://guide.meteor.com/accounts.html#dont-use-profile). – jonatan Dec 27 '16 at 12:40
  • Thanks for the update on the docs @jonatan I'll update the answer accordingly. – Michel Floyd Dec 27 '16 at 19:56