Current User

The current user object to access the logged in user

It would be bothersome if the user had to log in every time they open your app. You can avoid this by using the cached current Moralis.User object.

Please note that this functionality is disabled by default on Node.js environments (such as React Native) to discourage stateful usages on server-side configurations. To bypass this behavior on this particular use case, call once Moralis.User.enableUnsafeCurrentUser() right before using any cached-user related functionalities.

Whenever you use any signup or login methods, the user is cached in localStorage, or in any storage you configured via the Moralis.setAsyncStorage method. You can treat this cache as a session, and automatically assume the user is logged in:

const currentUser = Moralis.User.current();
if (currentUser) {
// do stuff with the user
} else {
// show the signup or login page
}

When using a platform with an async storage system you should call currentAsync() instead.

Moralis.User.currentAsync().then(function(user) {
// do stuff with your user
});

You can clear the current user by logging them out:

Moralis.User.logOut().then(() => {
const currentUser = Moralis.User.current(); // this will now be null
});

Setting the Current User

If you’ve created your own authentication routines, or otherwise logged in as an user on the server-side, you can now pass the session token to the client and use the become method. This method will ensure the session token is valid before setting the current user.

Moralis.User.become("session-token-here").then(function (user) {
// The current user is now set to user.
}, function (error) {
// The token could not be validated.
});

Security For User Objects

The Moralis.User class is secured by default. Data stored in a Moralis.User can only be read or modified by that user.

A Cloud Function can be used to bypass this restriction however, by using the useMasterKey option.

Specifically, you are not able to invoke any of the save or delete methods unless the Moralis.User was obtained using an authenticated method, like logIn or signUp. This ensures that only the user can alter their own data.

The following illustrates this security policy:

const user = await Moralis.User.logIn("my_username", "my_password");
user.set("username", "my_new_username");
await user.save();
// This succeeds, since the user was authenticated on the device
// Get the user from a non-authenticated method
const query = new Moralis.Query(Moralis.User);
const userAgain = await query.get(user.objectId);
userAgain.set("username", "another_username");
await userAgain.save().catch(error => {
// This will error, since the Moralis.User is not authenticated
});

The Moralis.User obtained from Moralis.User.current() will always be authenticated.

If you need to check if a Moralis.User is authenticated, you can invoke the authenticated method. You do not need to check authenticated with Moralis.User objects that are obtained via an authenticated method.

Encrypting Current User

Often you may want to be more careful with user information stored in the browser, if this is the case you can encrypt the current user object:

Moralis.enableEncryptedUser();
Moralis.secret = 'my Secrey Key';
  • It's important to remember that this function will not work if Moralis.secret is not set.

  • Also, note that this only works in the browser.

Now the record in Local Storage looks like a random string and only can be read using Moralis.User.current() You can check if this feature is enabled with the function Moralis.isEncryptedUserEnabled().