Files
2026-04-17 23:26:01 +00:00

2.1 KiB

title, impact, impactDescription, tags
title impact impactDescription tags
Use Auth Collections for User Accounts CRITICAL Built-in authentication, password hashing, OAuth2 support collections, auth, users, authentication, design

Use Auth Collections for User Accounts

Auth collections provide built-in authentication features including secure password hashing, email verification, OAuth2 support, and token management. Using base collections for users requires reimplementing these security-critical features.

Incorrect (using base collection for users):

// Base collection loses all auth features
const usersCollection = {
  name: 'users',
  type: 'base',  // Wrong! No auth capabilities
  schema: [
    { name: 'email', type: 'email' },
    { name: 'password', type: 'text' },  // Stored in plain text!
    { name: 'name', type: 'text' }
  ]
};

// Manual login implementation - insecure
const user = await pb.collection('users').getFirstListItem(
  `email = "${email}" && password = "${password}"`  // SQL injection risk!
);

Correct (using auth collection):

// Auth collection with built-in security
const usersCollection = {
  name: 'users',
  type: 'auth',  // Enables authentication features
  schema: [
    { name: 'name', type: 'text' },
    { name: 'avatar', type: 'file', options: { maxSelect: 1 } }
  ],
  options: {
    allowEmailAuth: true,
    allowOAuth2Auth: true,
    requireEmail: true,
    minPasswordLength: 8
  }
};

// Secure authentication with password hashing
const authData = await pb.collection('users').authWithPassword(
  'user@example.com',
  'securePassword123'
);

// Token automatically stored in authStore
// NOTE: Never log tokens in production - shown here for illustration only
console.log('Authenticated as:', pb.authStore.record.id);

When to use each type:

  • Auth collection: User accounts, admin accounts, any entity that needs to log in
  • Base collection: Regular data like posts, products, orders, comments
  • View collection: Read-only aggregations or complex queries

Reference: PocketBase Auth Collections