Expose Meteor user context to Express endpoints

nachocodoner · January 22, 2026, 1:14pm

Hello community!

I recently pushed a PR that introduces a dedicated package, accounts-express, for authenticating Express endpoints defined through Meteor’s WebApp package. It makes it possible to protect specific REST endpoints in a way similar to how DDP endpoints like methods and subscriptions already work, and it also ships an auth-aware fetch so the client (and the server) can call those endpoints with the user’s token attached.

github.com/meteor/meteor

Expose Meteor user context to Express endpoints

meteor:release-3.5 ← meteor:rest-user-context

opened 01:11PM - 22 Jan 26 UTC

nachocodoner

+2156 -13

Context: https://forums.meteor.com/t/expose-meteor-user-context-to-express-endpo…ints/64384 This PR introduces support for exposing the Meteor user context from accounts packages to Express endpoints defined through the Webapp package. This has been a long-standing limitation. This change aims to better connect tools Meteor integrates with, like Express, to Meteor specifics such as authorization. With this in place, Express endpoints can use a new auth middleware, `Accounts.auth()`, to ensure they only serve authenticated users or given your custom conditions. When this middleware is applied, `Meteor.userId()` and `Meteor.user()` become available in REST endpoints. To support the client side, a new helper `Meteor.fetchWithAuth` was added to ensure the auth token is correctly included in requests to protected endpoints. --- - [x] Fix tests on CI they fail locally - [x] Ensure types for the new exposed functionality - [x] Add document around the new package and functionality ## Summary by CodeRabbit * **New Features** * New accounts-express package: Express auth middleware and auth-aware fetch surfaces. * Public Meteor.fetch added; fetch APIs can opt into auth via {auth, token} and an auth-on-by-default fetch is provided. * **Documentation** * New accounts-express docs and updated fetch docs describing auth behavior and options. * **Tests** * Extensive client and server test suites validating middleware and fetch auth behaviors. * **Chores** * Package integration and exports to enable the above features.

The final shape splits cleanly into two pieces: an auth middleware for protecting endpoints, and an authenticated fetch for calling them.

Auth middleware

createAuthMiddleware reads a Meteor login token from the Authorization: Bearer header (or the meteor_login_token cookie when HttpOnly cookies are enabled) and populates req.userId plus Meteor.userId() for the rest of the chain.

As an example, on the server you can define the following:

import { WebApp } from 'meteor/webapp';
import { createAuthMiddleware } from 'meteor/accounts-express';

// Apply auth middleware to /api routes
WebApp.handlers.use('/api', createAuthMiddleware());

// Protected endpoint under /api
WebApp.handlers.use('/api/users', async (req, res) => {
  try {
    // User context is available
    console.log('Authenticated user ID:', Meteor.userId(), req.userId);
    console.log('Authenticated user:', await Meteor.userAsync());

    if (!Meteor.userId()) {
      res.status(401).json({ error: 'Unauthorized' });
      return;
    }

    const users = await Meteor.users
      .find({}, { fields: { username: 1, createdAt: 1, updatedAt: 1 } })
      .fetchAsync();

    res.json(users);
  } catch (error) {
    console.log(error);
    res.status(500).json({ error: error.message });
  }
});

By default, createAuthMiddleware does not require authentication, but it can detect the logged-in user. This is closer to how methods and subscriptions handle authorization logic, as it lets you customize authorization once you have access to the userId that attempted to reach the endpoint.

If you want to protect endpoints unconditionally, you can apply the middleware with createAuthMiddleware({ required: true }), which will reject unauthenticated requests automatically:

WebApp.handlers.use('/api/admin', createAuthMiddleware({ required: true }));

Authenticated fetch

On the client side, three fetch entry points become available so you can choose how aggressively the login token is attached:

Entry point	Default	When to reach for it
`Meteor.fetch`	`auth: false` (opt-in)	Neutral fetch that becomes auth-aware when you pass `auth: true`.
`import { fetch } from 'meteor/fetch'`	`auth: false` (opt-in)	Generic fetch shim. Stays neutral so installing `accounts-express` doesn’t silently start attaching the user’s token to arbitrary URLs.
`import { fetch } from 'meteor/accounts-express'`	`auth: true` (opt-out)	Auth-on-by-default. Pass `auth: false` to opt out for a single call.

The asymmetry is deliberate: importing from meteor/accounts-express is the opt-in. The other two entry points are shared with non-auth code paths and stay neutral until you ask for auth.

So the protected call from the example becomes:

import { fetch } from 'meteor/accounts-express';

async function getUsers() {
  const response = await fetch('/api/users');
  return response.json();
}

console.log(await getUsers());

When logged in and authorized the console logs:

[
  {
    "_id": "Ystii57EhB6aFyXup",
    "createdAt": "2026-01-20T16:11:09.406Z",
    "username": "meteorite"
  }
]

When logged out, given the error handled within the endpoint:

{
  "error": "Unauthorized"
}

If you want full control over which calls carry the token, prefer the opt-in form:

import { fetch } from 'meteor/fetch';

const protectedRes = await Meteor.fetch('/api/users', { auth: true });
const alsoProtected = await fetch('/api/users', { auth: true });
const publicRes    = await Meteor.fetch('/api/public');

On the server you can also pass an explicit { token } to call an endpoint as a specific user, instead of relying on the current request context.

Documentation:

Coming next: REST login/logout endpoints

The next iteration introduces drop-in factories createLoginMiddleware and createLogoutMiddleware that turn the password login flow into proper REST endpoints, issuing the same login tokens DDP login produces, and firing the standard validateLoginAttempt / onLogin / onLoginFailure / onLogout hooks.

github.com/meteor/meteor

Provide configurable login and logout endpoints in Express

meteor:release-3.5 ← meteor:user-rest-api

opened 11:02AM - 05 May 26 UTC

nachocodoner

+800 -1

Continues: https://github.com/meteor/meteor/pull/14091 and https://forums.meteor….com/t/expose-meteor-user-context-to-express-endpoints/64384 This PR addresses feedback from the `accounts-express` package, which is used to expose authenticated Meteor users from accounts packages to Express endpoints. [In the forum post](https://forums.meteor.com/t/expose-meteor-user-context-to-express-endpoints/64384/2), we got feedback about an extension to support login and logout. For now, I have added middlewares to generate tokens through a new configurable Express login endpoint, and to support logout. I will review options for a more general approach to long-lived tokens later. This work is a continuation of `accounts-express`, delivered in Meteor 3.5. These changes are for Meteor 3.6 or later minor.

I opened this forum discussion because, even though the implementation is done, covered by tests, and already used for a long time in my own projects, I would like feedback on the developer experience when moving it to the core. The goal is to discuss details early and make decisions together.

This is an experimental feature planned for a future minor release, likely Meteor 3.5+ (with a beta launched as soon as possible). I think it is worth bringing up now and discussing it ahead of time, so the deliver can coverage all planned usage scenarios.

ceigey · January 22, 2026, 11:44pm

Oooh, very interesting! I guess the benefit of using the same context is now you can use the same underlying function for a WebApp endpoint or a Meteor methods endpoint…

I just had a quick skim through the code and I can see you’re handling the expiring tokens which was the one thing I wanted to check

As later additions?, I think it’d be nice to also have:

Login (with login token generation, expiries etc all consistent with DDP login)
Logout
Arbitrary tokens e.g. a long-lived API Token.

The first two I think were covered by this user’s custom middleware:

I think after all that, Meteor’s half way to internalising the same kind of functionality simple-rest etc had into the core (the next step would be figuring out how to safety expose HTTP endpoints for pub/sub, methods etc ). Still perhaps best left to a 3rd party package (or alternatively, the separate efforts to improve Meteor method declarations), but at least the accounts plumbing is a lot simpler!

nachocodoner · January 23, 2026, 2:34pm

Your suggestions are really interesting, thank you. Also, I like how you linked previous discussions on this matter, and the existence of the legacy meteor-rest package on Meteor 2.x. All this can influence future decisions around the Meteor-Express integration for Meteor 3.x.

As mentioned above, and since there is still some time before delivering the feature in a minor Meteor release (3.5+), I will iterate on your suggestions and, at minimum, include the changes that are closely related to Express user context management (login/retrieve token, logout/clean tokens, arbitrary tokens). The rest can come in later iterations, if it proves to have other implications, touches other areas or result harder to solve them.

welkinwong · January 24, 2026, 6:48am

This looks great! I also have a scenario to discuss with everyone. My application is based on SSR (Server-Side Rendering). To accelerate page access for logged-in users, I need to handle pages under a logged-in state. Currently, I achieve this by setting a login_token cookie after login. On the server side, I retrieve the login_token cookie and query the corresponding user to render the post-login page.

On the client side, I use:

function resetToken() {
  const loginToken = Meteor._localStorage.getItem('Meteor.loginToken');
  const loginTokenExpires = new Date(Meteor._localStorage.getItem('Meteor.loginTokenExpires')!);

  if (loginToken) {
    setToken(loginToken, loginTokenExpires);
  } else {
    setToken(null, -1);
  }
}

function setToken(loginToken: string | null, expires: Date | number) {
  let cookieString = `meteor_login_token=${encodeURIComponent(loginToken ?? '')}`;
  let date;

  if (typeof expires === 'number') {
    date = new Date();
    date.setDate(date.getDate() + expires);
  } else {
    date = expires;
  }
  cookieString += `; expires=${date.toUTCString()}; path=/`;

  // https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
  cookieString += `; SameSite=Lax`;

  document.cookie = cookieString;
}

On the server side:

const loginToken = sink.request.cookies['meteor_login_token'];

const getUserByLoginToken = async (loginToken?: string) => {
  if (!loginToken) return null;

  const hashedToken = Accounts._hashLoginToken(loginToken);

  const user = await UserCollection.findOneAsync(
    { 'services.resume.loginTokens.hashedToken': hashedToken },
    { fields: securFields }
  );

  return user;
};

Additionally, I use Redux Toolkit and inject the user into the store, accessing the user object throughout the code with:

const user = useSelector(state => state.user);

I understand that Meteor’s design does not natively use cookies, but when using SSR to accelerate access for logged-in users, cookies seem to be the only viable option. Could Meteor consider offering a cookie-based solution in the future to support SSR-accelerated access scenarios?

As a side note: In my application, using SSR improved the page load time from around 3–4 seconds down to about 1 second.

italojs · January 29, 2026, 7:41pm

in terms of DX, why not rename fetchWithAuth to request, we could add more resources to this functin in te future, like sanitization, types check in the client side, IDK, just brainstorming

the usage would be Meteor.request(url, {auth: false}) where the token is setup in the header as default

nachocodoner · May 5, 2026, 11:22am

Published beta version: 3.5-beta.10

Good news for those who want to start using authentication and authorization on Express endpoints in Meteor apps, using the Meteor accounts packages and keeping the same session approach as any Meteor app.

Try it with:

meteor update --release 3.5-beta.10

There is a demo app to explore features and examples:

https://accounts-express.sandbox.galaxycloud.app

Log in as a demo user and press the call buttons. You will see the client and server code involved, and the response from the Express endpoint with authentication. You can also check it in your browser’s Network tab.

We need community testing on real apps to verify everything works as expected. So far, things are working well, and we will continue with these checks.

Documentation

I updated the first post of this forum thread to reflect the latest version of the delivered changes for accounts-express, where you can learn more about it and see a code example.

For more documentation, refer to:

accounts-express package

What’s Next

As @ceigey proposed, login and logout endpoints, along with better handling of long-lived API tokens, will be implemented next. These updates are planned for Meteor 3.6 or later minor versions.

A PR with login/logout endpoints is already started and working. More testing is still needed and will come later.

github.com/meteor/meteor

Provide configurable login and logout endpoints in Express

meteor:release-3.5 ← meteor:user-rest-api

opened 11:02AM - 05 May 26 UTC

nachocodoner

+800 -1

Continues: https://github.com/meteor/meteor/pull/14091 and https://forums.meteor….com/t/expose-meteor-user-context-to-express-endpoints/64384 This PR addresses feedback from the `accounts-express` package, which is used to expose authenticated Meteor users from accounts packages to Express endpoints. [In the forum post](https://forums.meteor.com/t/expose-meteor-user-context-to-express-endpoints/64384/2), we got feedback about an extension to support login and logout. For now, I have added middlewares to generate tokens through a new configurable Express login endpoint, and to support logout. I will review options for a more general approach to long-lived tokens later. This work is a continuation of `accounts-express`, delivered in Meteor 3.5. These changes are for Meteor 3.6 or later minor. ## Pending ### Shared login core The REST login/logout will initially duplicate a small slice of the flow that already lives in `accounts-base` and `accounts-password` (building the attempt object, running `validateLoginAttempt`, minting and storing the token). I considered extracting a transport-agnostic helper now so DDP login and REST login share the exact same code path, but the login flow is security-critical and several community packages (`accounts-2fa`, `accounts-passwordless`, custom OAuth providers, SSO add-ons) bind to its private internals. That makes it a refactor worth doing carefully and on its own, not bundled with this delivery. I'll see with more time if this is feasible, all related with refactors on authentication I move slower. ### Long-lived API tokens The current REST flow issues the same short-lived session tokens DDP login uses, expiring per the global `loginExpirationInDays` config and stored in `services.resume.loginTokens`. That's enough for first-class browser sessions, but it doesn't cover scenarios like CI deploys, GitHub Actions, or third-party integrations that need a stable, named, individually revocable token with its own lifetime. A follow-up will introduce a dedicated "personal access token" context, named tokens with their own expiry (including never-expires), optional scopes, listing and selective revocation, threaded through the same `createAuthMiddleware`. --- Not sure if I will deliver everything noted as part of this PR, but I just wanted to write down other ideas to cover later.

ceigey · May 6, 2026, 1:05pm

Nice, looking forward to seeing more of this! Thank you for your work on this Nacho (and sorry for the radio silence with your earlier response).

This will potentially streamline some automation scenarios we were thinking of at the company I work at, that weren’t quite high priority enough to justify building out an entire authenticated API layer on top of.