Private forum plugin
-
Hello,
I would like to create a private forum using NodeBB but it seems that there is no real complete option or plugin to achieve this.
My idea is to add a new route that will be used before all. It will check if the user is connected (using the cookie).
If not : the request is blocked and redirected to/login
, if yes, the request is allowed.Workflow:
- A client send a request to NodeBB
- The request passes through this first route
- This route check if the user is logged in (based on its cookie)
if no, redirect it to/login
(Only/login
and/register
are allowed)
if yes, the request is allowed
Can a NodeBB developper help me to:
- Confirm if it is possible to create a plugin that will add a new route at top level
- Where to add a route in order to be the first one called (I know Node.JS but not yet how to create a plugin for NodeBB).
Thanks a lot!
-
You don't want to add a new route. What you want is to add a new middleware that applies to all routes except those related to login and register.
This is possible with a plugin, and should be fairly simple, just adding the middleware in
static:app.load
handler. -
@PitaJ said in Private forum plugin:
What you want is to add a new middleware that applies to all routes except those related to login and register.
Yes, you are totally right.
Do you have in mind a plugin that add a middleware in
static:app.load
handler?
It will be faster to clone and edit itI will take a look at the documentation.
-
I believe the quickstart example plugin has it. But it doesn't add a middleware. You'll want to look into the express documentation for that.
-
Hang on... you just want to redirect users to log in or register, right?
Why don't you just restrict category permissions to registered-users only? Then you can use some client-side logic in the custom JS to send users to
/login
or/register
ifapp.user.uid
is 0. -
@PitaJ I think I begin to understand the concept.
Using the following plugin.json my script can use the express object to intercept each requests?{ "id": "nodebb-plugin-private-forum", "url": "httls://github.com/..../.......", "library": "./private-forum.js", "hooks": [ { "hook": "static:app.load", "method": "init" } ] }
I am not sure about the hook configuration.
This is the kind of code I would like to use in my plugin:
app.use(function(req, res, next) { if (req.session.user == undefined) { return res.render('/login'); } else { next(); } });
-
@julian I tried this already.
But this is not secure, as the API can still be requested manually (for example user pages are public).Using a middleware I can filter all requests and only serve the login or register page.
Front code is not secure because the user can remove it.
-
@flex you're on the right track with what you have there. Try it out!
You'll probably want to redirect instead. Here's a helpful handler to assist:
https://github.com/NodeBB/NodeBB/blob/master/src/controllers/helpers.js#L107
-
Hello guys,
I am starting to develop the plugin, but I did not understand how to add my code as a middleware and use the
req
object.
For now it is not working because I don't know how to get thereq
object (undefinied).Here's my plugin:
'use strict'; const plugin = {}; var winston = module.parent.require('winston'); const helpers = require.main.require('./src/controllers/helpers'); plugin.init = function (params, callback) { const { app, middleware, router } = params; var allowedPages=["/login", "/register", "/reset"]; console.log("=================================="); console.log(" Plugin Private Forum Initialized "); console.log("=================================="); if (allowedPages.indexOf(req.url) < 0) { helpers.notAllowed(req, res, next); } else { console.log("PLUGIN PRIVATE FORUM: req.url="+req.url+", user is logged"); winston.log("PLUGIN PRIVATE FORUM: req.url="+req.url+", user is logged"); next(); } }; module.exports = plugin;
You can see it here: https://github.com/LM1LC3N7/nodebb-plugin-private-forum/blob/master/library.js
Of course there are errors:
2020-06-03T15:55:06.696Z [4567/1731] - verbose: [plugins/fireHook] static:app.load ================================== Plugin Private Forum Initialized ================================== 2020-06-03T15:55:06.733Z [4567/1731] - error: [plugins] Error executing 'static:app.load' in plugin 'nodebb-plugin-private-forum' 2020-06-03T15:55:06.734Z [4567/1731] - error: ReferenceError: req is not defined at Object.plugin.init [as method] (/etc/nodebb/nodebb-plugin-private-forum/library.js:16:27) at /nodebb/src/plugins/hooks.js:176:30 at /nodebb/node_modules/async/dist/async.js:2154:44 at eachOfArrayLike (/nodebb/node_modules/async/dist/async.js:500:13) at eachOf (/nodebb/node_modules/async/dist/async.js:551:16) at awaitable (/nodebb/node_modules/async/dist/async.js:208:32) at Object.eachLimit (/nodebb/node_modules/async/dist/async.js:2216:16) at /nodebb/node_modules/async/dist/async.js:216:25 at new Promise (<anonymous>) at Object.awaitable (/nodebb/node_modules/async/dist/async.js:211:20)
-
You need to wrap the middleware in a function and apply that function with app.use
-
@flex what do you mean by connected? You can check if a user is logged in by checking if
req.uid
is greater than (not equal to) 0. -
Thank you again, now it seems to work well!
Can you review the code and maybe test the module?
I would like to be sure that I have not forgot something.GitHub - LM1LC3N7/nodebb-plugin-private-forum: A NodeBB plugin to lockdown the forum to non-registered users.
A NodeBB plugin to lockdown the forum to non-registered users. - LM1LC3N7/nodebb-plugin-private-forum
GitHub (github.com)
-