node package manager



Meteor account system implemented in Mongoose

Circle CI

Implement of the Meteor account system for Mongoose.
Now you can build new application with the same DB as your Meteor application, and authenticate with the same users!
Support change password with strength validation using zxcvbn.


import mongoose from 'mongoose';
import UserPlugin from 'mongoose-meteor-account';
 * User Schema
const UserSchema = new mongoose.Schema({
  createdAt: {
    type: Date,
UserSchema.plugin(UserPlugin, {
  verifiedLogin: true, // Make sure the user is verified (by email) 
  expirePasswordDays: 90, // When the password expired 
  oldPasswords: 5, // Don't let the user change his password to used one (save 5 password) 
  minPasswordStrength: 2, // zxcvbn minimum strength 
 * @typedef User
export default mongoose.model('User', UserSchema);


  • verifiedLogin - Check during the login if the email of the user is verified or not (default: false)
  • expirePasswordDays - After how many days the passwords of the user is expired, 0 is unlimited (default: 0)
  • oldPasswords - How many old password to save for avoid the usage of the same password twice, 0 is unlimited (default: 0)
  • minPasswordStrength - The minimum strength in zxcvbn rating for the password, 0 won't check (default: 0)


  • User.login(username, password, throwError = false) - Return Promise of the user if success, false if not. The user must be verified in order to login. If throwError is true, the login will throw an error with the reason if the login failed.


  • user.changePassword(password) - Change the password
  • user.comparePassword(password) - Compare given plain password to the password in the DB
  • user.generateResetPasswordToken() - Generates a token for reset password process
  • user.verifyResetToken(token) - Checks if the provided token is equal to the generated reset token
  • user.resetPassword(token, password) - Changes the user's password if the token matches the generated one. Deletes the token afterwards
  • user.generateVerificationToken() - Generates a token for verification (usually being sent via email)
  • user.verifyVerificationToken(token) - Checks if the provided token is equal to the generated verification token
  • user.verifyUser(token) - Verifies the user by the provided token. Deletes the token afterwards
the password can be a plain string of the password, or an object of hashed (sha256) of the password, as Meteor send the password in the client.


  • Add create new User (register)
  • Add remove user
  • Add Add new email
  • Add Set email as primary