Group Details Private


Forum Administrators

  • NodeBB 1.13.0: a little snow won't slow us down

    Apparently the last time there was this much snow in Toronto was 1951, back when "bulletin boards" were just things you stuck push-pins into. Times sure change! But one thing that won't change is our ongoing efforts to make NodeBB the best forum software out there.

    Under the hood are tons of changes to improve NodeBB, but here are some of the bigger ones we wanted to highlight...

    Click here to see the full blog post

    posted in Announcements
  • RE: Modify /login endpoints to avoid DDOS and dictionary attacks


    1. Not easily, as /login is hardcoded in a couple places in the codebase. To combat these types of attacks, we introduce a delay when logging in that somewhat matches the bcrypt runtime. You could always edit the codebase to increase the delay some more, but what I'd recommend is setting up spam-be-gone so these requests are curbed before it hits bcrypt.

    2. Yes. bcrypt is processor intensive by design (that's what makes it so good as a password hashing algorithm, but I am no expert).

    posted in Technical Support
  • RE: Plugin idea:

    @gotwf said in Plugin idea:

    Which seems to be nodebb's approach in general w.r.t. stuff like this

    In general, yes. We try to not muck around with existing installs too much, but plugins are a little more fast and loose with things like this. Will keep it in mind 😄

    posted in NodeBB Plugins
  • RE: Category Privileges PUT and DELETE APIs Results Not Reflected

    Looks OK to me did you put a console.log here to see if the groups and privileges are correct? Did you check the database directly to see if the change happened?

    posted in Technical Support
  • RE: Problem with "Callback was already called" when loading plugin

    Hi @sazulo,

    Since your plugin hook function is async you should not use the callback and just return strategies from the function.

    Change your function to the below and it should work.

    OpenIDConnectPlugin.getStrategy = async function (strategies) {
    	try {
    		if (!OpenIDConnectPlugin.config.enabled) {
    			return strategies;
    		OpenIDConnectPlugin.issuer = await;
    		const strategy = new Strategy({
    			client: new OpenIDConnectPlugin.issuer.Client({
    				client_id: OpenIDConnectPlugin.config.clientId,
    				client_secret: OpenIDConnectPlugin.config.clientSecret,
    				redirect_uris: [nconf.get('url') + AUTH_OIDC_CALLBACK_PATH],
    			params: {
    				// In OpenID Connect,
    				// => issuer and subject in the 'openid' scope
    				// => email in the 'email' scope
    				// => username in the 'profile' scope ( as 'preferred_username' )
    				scope: 'openid email profile',
    				get nonce() {
    					return uuid.v4();
    		}, OpenIDConnectPlugin.verify);
    			callbackUrl: AUTH_OIDC_CALLBACK_PATH,
    			icon: 'fa-openid',
    			scope: 'user:username',
    		return strategies;
    	} catch (err) {
    		throw err;
    posted in Plugin Development
  • RE: Plugin idea:

    Definitely makes sense to integrate this as an additional verification vector in the spam-be-gone plugin.

    Thoughts @akhoury ?

    posted in NodeBB Plugins
  • I'm getting a session mismatch error when logging in!

    This topic was created as an entry in the Developer FAQ. Respond below if you have additional information to add re: SSO or other session-sharing implementations.

    The common causes for a session mismatch error are usually one of the following:

    1. Mis-configured URL parameter in your config.json file

    If you have a misconfigured url value in your config.json file, the cookie may be saved incorrectly (or not at all), causing a session mismatch error. Please ensure that the link you are accessing your site with and the url defined match.

    2. Improper/malformed cookieDomain set in ACP

    Sometimes admins set this value realising that they probably don't need to set it at all. The default is perfectly fine. If this is set, you'll want to revert the setting by editing your database directly:

    Redis: hdel config cookieDomain
    MongoDB: db.objects.update({ _key: "config" }, { $set: { "cookieDomain": "" } });

    3. Missing X-Forwarded-Proto header from nginx/apache

    If you are using a reverse proxy, you will need to have nginx pass a header through to NodeBB so it correctly determines the correct cookie secure property.

    In nginx, you will need to add the directive like so:

    location / {
        proxy_set_header X-Forwarded-Proto $scheme;
    posted in Developer FAQ
  • How do I log into NodeBB from a separate app/SSO?

    This topic was created as an entry in the Developer FAQ. Respond below if you have additional information to add re: SSO or other session-sharing implementations.

    The recommended method of sharing sessions between two separate and distinct applications is through OAuth2. We recommend this approach because NodeBB maintains its own user records, so that we can keep track of user-related metrics and other data. Relying on another database would be tricky, prone to breaking, and quite possibly dangerous.

    Luckily, it's quite straightforward to get things working with OAuth2!

    The first step is getting your application to expose an OAuth2 endpoint. If you're running a Node.js based app, you can use a module called OAuth2orize.

    Once that is set up, you'll want to take a look at the SSO plugin skeleton for customised OAuth deployments -- nodebb-plugin-sso-oauth. You'll take this plugin, fork it, and modify it to communicate with your OAuth endpoint.

    Once everything is working properly, you should be able to register and log in/out via your web app.

    posted in Developer FAQ
  • RE: How do I stop my emails from ending up in the spam folder?

    By default, NodeBB instances should be able to send email out of the box. However, having the server send emails is not ideal, as the server itself does not have any reputation (and in some cases, may have a negative reputation if a spammer sent messages from the IP in the past).

    In nearly all cases, you will want to open up an account with a third-party emailer service, who can handle these outgoing messages for you.

    Here at NodeBB, we recommend "nodebb-plugin-emailer-sendgrid", which is installable via the admin control panel. SendGrid has a free tier that is fairly generous, so you should not have to pay any upfront or recurring costs.

    Once the plugin is installed and activated, you will need to register a new account at SendGrid and create an API key for NodeBB to use.

    posted in Developer FAQ
  • RE: ERROR invalid-event

    @y-h said in ERROR invalid-event:

    reinstall this plugin

    What plugin are you referring to?

    posted in Technical Support