🚀 Meteor 3.5-beta: Change Streams & Performance improvements

waldgeist · May 4, 2026, 9:09pm

Love these DDP improvements. I assume they are backwards compatible on DDP protocol level? I am asking because we developed custom DDP protocol implementations for our Unity and VisionOS apps.

mvogt22 · May 4, 2026, 9:21pm

I can speak to the PRs I contributed – the DDP contract is not broken. Same functionality, just faster / less resource usage.

waldgeist · May 5, 2026, 8:13am

Sounds awesome, thanks for the clarification!

xet7 · May 8, 2026, 6:57am

Login bug?

github.com/wekan/wekan

Unable to login on 9.x versions after clearing cache/incognito (login screen not loading)

opened 11:08PM - 05 May 26 UTC

bcook-konza

### Bug Description Wekan 9.x versions, users are unable to log in after cleari…ng browser cache or using an incognito/private session. The login screen either does not appear at all, or the login popup never loads, preventing authentication. This issue does not occur on 8.x versions, where login works as expected under the same conditions. ### Steps to Reproduce Deploy Wekan 9.x (tested 9.1-9.8) Open Wekan in a browser (Chrome, Edge, Brave) Clear browser cache or open a new incognito/private window Navigate to the Wekan instance Attempt to log in Observe behavior Expected Behavior: Login screen or popup should load promptly User should be able to enter credentials and authenticate Actual Behavior: Login screen does not appear, or login popup never loads Page may appear stuck or incomplete Waiting several minutes does not resolve the issue User is unable to log in at all Additional Notes: Issue occurs consistently across all tested 9.x versions Issue does not occur on 8.x versions (login works normally) Reproduced across multiple browsers: Chrome Edge Brave Performing a full Helm uninstall/reinstall does not resolve the issue Behavior suggests possible frontend loading issue, auth route problem, or missing resource during initial (uncached) load Environment: Wekan Version: 9.x (all tested versions) Working Version: 8.x Browsers: Chrome, Edge, Brave Deployment: Kubernetes (Helm) Cache State: Fresh (cleared cache or incognito) Possible Cause (speculative): Login component or auth route failing to initialize on a clean session Missing or blocked static assets required for login UI JavaScript error preventing rendering of login modal/page ### Relevant Logs ```shell The only issues detected in browser console is: Unload event listeners are deprecated and will be removed. 1 source 5e62cb0….js?meteor_js_resource=true:88 ``` ### Additional Context <img width="641" height="606" alt="Image" src="https://github.com/user-attachments/assets/5c74904d-6b1a-4ae5-82b6-50a18d7b2108" />

nachocodoner · May 8, 2026, 12:48pm

As far as I know, there are several changes in accounts packages and login behavior that could have affected this. But if something is broken, it is definitely critical, and we should find a way to reproduce it.

Do you happen to know if this is reproducible in a smaller, manageable repository?

We can try with Wekan anyway, just in case. I still owe more 3.5 testing on accounts, especially on native devices. So far, all checks passed on simple apps. But it is on my side to do soon. Hopefully, I can run into an issue similar to Wekan’s and report more details for the Meteor 3.5 resolution.

@xet7: We also had some minor changes on accounts packages as part of Meteor 3.4.1. Can you test WeKan on Meteor 3.4.1 and confirm it was not introduced there?

xet7 · May 9, 2026, 3:16pm

@nachocodoner

This login bug happens when:

WeKan has Meteor 3.5-beta.10 and Meteor 3.4.1
Using Chrome and Safari
Registering first user that will become Admin

This bug does not happen at Firefox, Brave and MS Chromium Edge.

Maybe unrelated, but it seems adding attachment to card works at Meteor 3.4.1, but not at Meteor 3.5-beta.10 where is flickering and blaze crash. I think I’ll change to Meteor 3.4.1.

xet7 · May 9, 2026, 5:59pm

@nachocodoner

I fixed login bug by adding router fallback:

italojs · May 17, 2026, 8:19am

This is the purpose of the beta: to test and find bugs in real projects before an official release. I’m on vacation until the 19th, so I’ll review it soon.

btw thank you very much wekan for using that beta. We appreciate this kind of contribution a lot.

xet7 · May 17, 2026, 12:14pm

Previous change did not fix Login bug, so this one did fix it:

harry97 · May 17, 2026, 12:16pm

My two cents on this is that Wekan had lots of lingering bugs that weren’t really attended to and were brewing underneath. Once the migration was done, it got exposed so some of these aren’t really the beta problems.

Nonetheless, the enthusiasm and having a big project like Wekan test out these betas is an amazing benefit to Wekan itself and the broader Meteor community!

xet7 · May 17, 2026, 5:15pm

I had some problems with Snap, so I migrated to Docker. Here is how I run Meteor 3.5-beta, Node.js 24.x, MongoDB 7.x with changeStreams and uws at Hetzner bare metal server that has 64 GB RAM, 2x1TB NVME RAID, Ubuntu 26.04, Linux kernel 7,x, and over 14k users. (MongoDB 8.x did not work, it causes some attachment upload and disappearance bugs).

xet7 · May 17, 2026, 7:11pm

Next interesting bug. At my WeKan hosting, every browser page reload does load webpage of different customer. This is the free hosting login page, but sometimes there is different custom logo login page:

https://boards.wekan.team/sign-in

I tried to make to not cache at Caddy config, but it did not help:

github.com

wekan/wekan/blob/main/docs/Platforms/FOSS/Docker/Meteor3/caddy/Caddyfile#L244


      
          		load /etc/caddy/certs
          	}
          	header {
          		-Content-Security-Policy-Report-Only
          		-Content-Security-Policy
          		Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: https://static.cloudflareinsights.com https://accounts.google.com https://apis.google.com; worker-src 'self' blob:; connect-src 'self' wss://boards.wekan.team https://boards.wekan.team https://cloudflareinsights.com https://accounts.google.com; img-src 'self' data: https://*.googleusercontent.com; frame-src 'self' https://accounts.google.com; style-src 'self' 'unsafe-inline'; font-src 'self' data:;"
          		Cross-Origin-Opener-Policy "same-origin-allow-popups"
          		X-Content-Type-Options nosniff
          		Strict-Transport-Security "max-age=31536000;"
          		-X-Frame-Options
          		Cache-Control "no-cache, no-store, must-revalidate"
          	}
          	handle /.well-known/* {
          		header Content-Type application/json
          		header Access-Control-Allow-Origin *
          	}
          	respond /.well-known/assetlinks.json `[ {
          	"relation": ["delegate_permission/common.handle_all_urls"],
          	"target": {
          	"namespace": "android_app",
          	"package_name": "team.wekan.boards.twa",

xet7 · May 17, 2026, 7:23pm

Now I turned off CloudFlare caching with Development Mode. I’ll check does it help.

xet7 · May 17, 2026, 7:25pm

It looks like it did not help. Well, I’ll think of something else.

xet7 · May 17, 2026, 11:43pm

I fixed this multitenancy bug by changing from changeStreams uws to oplog sockjs and some other settings.

italojs · May 19, 2026, 2:15pm

@xet7 can you please provide some guidance of how to reproduce it, please? so I can investigate what is happening

xet7 · May 19, 2026, 2:54pm

@italojs

Bug description:

github.com

wekan/wekan/blob/main/docs/Platforms/FOSS/Docker/Meteor3/multitenancy.md

# Multitenancy

TLDR a) and b)

## a) Oplog sockjs

- One server/Many WeKan domains/One IPv4
- Multitenancy works

docker-compose.yml:
```
- METEOR_REACTIVITY_ORDER=oplog,polling
- DDP_TRANSPORT=uws
```

## b) changeStreams uws

- One server/One WeKan domain/One IPv4

Multitenancy does not work, causes bug: round robin changing

This file has been truncated. show original

Current working config. If it is changed to changeStreams uws, it breaks:

italojs · May 20, 2026, 5:11pm

It was a little bit hard to reproduce and debug but now I have a propose fix.

The root cause come from the interaction of two bugs in the ddp-server/transports/ package of Meteor 3.5-beta.10 when multiple processes (or tenants) share the same network namespace. First, the uws internal port configuration silently fails because the code attempts to read settings from a client-side object (__meteor_runtime_config__.meteorSettings) that is never populated on the server, thus ignoring user configurations and always forcing the default port (5001). Second, since the uWebSockets.js library uses the SO_REUSEPORT option by default, multiple different Meteor instances can successfully bind to the exact same port (127.0.0.1:5001) without throwing any collision errors. As a result, the Linux kernel randomly load-balances and routes incoming WebSocket connections across the different processes, inadvertently mixing one tenant’s requests into another tenant’s database.

Here you can find a PR with the fix where I will land in the next beta, where you will be able to test it again.

trusktr · May 24, 2026, 10:33pm

Reading this code is a little bit confusing. Meteor already uses Express under the hood. But it seems like this code is creating a “new” express with the express() call.

Does this mean this code is telling Meteor’s existing express (which we extend with Meteor.handlers) to also use the new Express server, so we have two? Does it replace Meteor’s with a new one? Or what exactly?

Btw the docs are very lacking on these features, and because of it AI is making wrong assumptions or hallucinating.

I would greatly appreciate for all Meteor features to be released with complete docs, so we don’t have to dig into source code, and so AI won’t create random junk when we ask it to do something.

I think documentation is super pertinent in the AI era, otherwise we end up with super slop, ultra crazy unnecessary workarounds, or stuff that just doesn’t work.

It is also not clear what the difference is between the above example and the following which does authentication checks without a new express() being called:

import { WebApp } from 'meteor/webapp';
import { createAuthMiddleware } from 'meteor/accounts-express';

// Apply auth middleware to /api routes
WebApp.handlers.use('/api', createAuthMiddleware());

// Protected endpoint under /api
WebApp.handlers.use('/api/users', async (req, res) => {
  if (!(await Meteor.userAsync()).profile.isAllowedToDoSomething) {
    // ...block action, return 500 error to client...
    return
  }

  // ... proceed with authenticated user ...

})

nachocodoner · May 25, 2026, 10:08am

Have you had a chance to check the original post from @italojs? It already included the link to the docs (press “Documentation” link): https://github.com/meteor/meteor/blob/release-3.5/v3-docs/docs/packages/accounts-express.md. This Markdown file will be officially available in Meteor docs once Meteor 3.5 final is released, and it includes what is needed to understand and use the package.

It is also accessible in the Meteor 3.5 beta preview docs: accounts-express | Docs.
More info in the dedicated forum post: Expose Meteor user context to Express endpoints, where we also cared to update the first post to describe the final approach and usage.

Remember this is still a beta. While we have provided the docs needed to use the feature, they are not available yet in the official Meteor 3 docs. So AI tools will not always have that context by default. For new beta features, it helps to provide the links and information shared in the Meteor 3.5 highlights and in the dedicated forum post for this addition.

It is also not clear what the difference is between the above example and the following which does authentication checks without a new express() being called

That’s right. The example above is a high-level one, meant to show the general idea of getting an Express instance to use the new endpoints. But Meteor can also reuse its own Express instance.

In the docs we prepared and linked, and in the forum post, there is also an example focused on Meteor’s built-in Express instance. That is referenced as the default documented approach.

Of course, docs need visibility from our side, and we tried to share all the materials we prepared. After a re-read focused on them, do you think they cover the main cases?

Where do you think we could improve?