Difference between this.userId and Meteor.userId()?


#1

Hi there,
I just finished the awesome guide on meteortips.com, but one thing left me a bit puzzled.

In one of his chapters, David says we need to use Meteor.userId() on the client side, and on the server side this.userId. However, in the next chapter he uses himself Meteor.userId() on the server. I tried it and it works.

Which leads me to the question:
What exactly is the difference between the two, and when should they be used?


This.userId returning undefined when reauthenticating a user in 1.1.x
#2

You always use Meteor.userId(), except in publish functions where you use this.userId.


#3

Thanks Steve.
Yes, indeed David says when inside the publish function we need to use this.userId.

Maybe you can explain why, as both functions seem to return the same?
Is one more insecure than the other?


#4

Calling Meteor.userId() from a publish function will throw an exception, so there is no “insecure” way.
As for the reason of this design choice, I only have a vague idea so I will let other explain :- )


#5

Yes it is. I think it’s not a design choice either.
It may be something for backward compatibility. You should try to use this.userId for most of the times.

Try to avoid called Meteor.user() on the server. It’ll fetch the user object from Mongo, everytime you invoke it.


#6

BTW, do we have any documentation in what cases what we should use? Meteor.user(), Meteor.userId(), Meteor.userId, this.userId?


#7

I guess you can use Meteor.userId inside Meteor.methods because you can overide this.userId. It doesnt work with Meteor.publish


#8

A poor design decision - I constantly have to use workarounds for this … aghm… this.userId in publications :angry:


#9

I think last time I checked the code it was the same on client.


#10

I’m confused. So there’s no difference between this.userId vs Meteor.userId() ?

How about in Meteor.methods ?

In the docs it said this.userId is “The id of the user that made this method call”

So I’m assuming hypothetically that if the user logs out after the method is called, this.userId and Meteor.userId() would be different?

Would something like this be necessary:

Meteor.methods
  addTask: ->
    if not Meteor.userId() or Meteor.userId() isnt @userId
      throw new Meteor.Error 'not-authorized'
    

#11

throw methodErr unless Meteor.user()
is sufficient.

In methods you use Meteor.userId(), in pubs - this.userId. In other server-side code it doesn’t allow neither.


#12

Do not use this approach if you just want to check that User is logged in. On the Server Meteor.user() reads user data from Meteor.users collection. And note that this.userId inside Meteor.methods could be overriden during method call (see this.setUserId)! So it is safely to use Meteor.userId. But inside Meteor.publish handlers only this.userId is available and immutable.


#13

So why shouldn’t I use this approach? How can Meteor.user() be hijacked?
Also note that this.setUserId can only be called on Server.


#14

if you just want to check that User is logged in.


#15

It is like when you just wanna to know that some object is in DB:

if(!Posts.findOne({author: this.userId})) { this.ready()} // wrong way!
if(Posts.find({author: this.userId}).count() > 0) {this.ready()} // right way

#16

You say I shouldnt use it but you dont provide what I should use…


#17

What is the use case of this piece of code? Check if user is logged in? If so then you may do it better, just throw methodErr unless Meteor.userId()


#18

What’s the difference?


#19

Are you kidding man?


#20

Ok, but where does it fetch Meteor.userId() from? the client?