Always Guest User with XHR

Nick Allain

I'm working on getting commenting set up on a Ghost blog using Nodebb (making use of the nodebb-plugin-blog-comments plugin).

Ghost blog: https://nicholasdallain-2.ghost.io/
NodeBB site: https://dev.opposite-lock.com/

The plugin calls a request via javascript on the Ghost page. Looking at the Chrome Developer Options, I get a different response from the api via Javascript than I do just opening the page in my browser.

Sample request: https://dev.opposite-lock.com/comments/get/5fe3b20991b86c0039a9800e/0

Developer Options (just a relevant chunk):
user: {uid: 0, username: "[[global:guest]]", userslug: "", fullname: "[[global:guest]]", email: "",…}

In Browser Tab:
{"uid":139,"username":"nickhasanexocet","userslug":"nickhasanexocet","email":"nick.all....

Because of this issue, the commenting system won't allow me to publish the ghost blog to nodebb for commenting. Instead I see "Comments are disabled."

Nick Allain

I am continuing to read documentation and guessing that it has something to do with authentication for the API. Does anyone have an example of authenticating via javascript with cookies?

ReDoc

(docs.nodebb.org)

julian

@nick-allain You're sort of on the right track... I'll ping @psychobunny for his thoughts, but in the meantime, it sounds like your request to ghost isn't authenticated, possibly because it is not sending the appropriate cookie through the request.

As that page you link to suggests, the API uses cookie authentication first and foremost, which is why when you access the comments/get link from your browser, you are logged in.

The plugin code looks ok, in that it executes the XHR withCredentials, but can you confirm that that is the case in the dev tools?

Nick Allain

Thanks @julian - your message prompted me to look at the cookie itself. Chrome DevTools is flagging an issue that I didn't previously see.

This Set-Cookie was blocked because it had the "SameSite=strict" attribute but came form a cross-site response which was not the response to a top-level navigation.

To try to answer you're question, here's what my headers look like. I will freely admit, I'm a little over my head on this! I'm a marketing guy trying to help out his car community

Request:
GET /comments/get/5fe3b20991b86c0039a9800e/0 HTTP/1.1
Host: dev.opposite-lock.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: /
Origin: https://nicholasdallain-2.ghost.io
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://nicholasdallain-2.ghost.io/a-new-test-post/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

Response:
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 29 Dec 2020 00:57:44 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 5641
Connection: keep-alive
X-DNS-Prefetch-Control: off
Expect-CT: max-age=0
X-Frame-Options: SAMEORIGIN
X-Download-Options: noopen
X-Content-Type-Options: nosniff
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0
Referrer-Policy: strict-origin-when-cross-origin
X-Powered-By: Oppositelock
Content-Security-Policy: frame-ancestors 'self'
set-cookie: _csrf=qVrBDseAYi8zRdAqIhsffeBz; Path=/; HttpOnly; Secure; SameSite=Strict
Access-Control-Allow-Origin: https://nicholasdallain-2.ghost.io
Access-Control-Allow-Headers: X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept
Access-Control-Allow-Credentials: true
ETag: W/"1609-C37JNRX5kkSgV4I14TWs+cPivkE"

julian

@nick-allain ah, you'll have to set the cookie domain in the ACP to contain both domains.

Careful what value you set, if you set the wrong one, you might lock yourself out of the ACP!

Nick Allain

@julian Thanks! I managed to get it almost working. Now I get a wonderfully generic {"error":"Unable to post topic"}

julian

@nick-allain Are you able to make changes to the plugin files? It looks like the error is coming from the blog-comments plugin itself.

nodebb-plugin-blog-comments/library.js at d75e8aabe554dfd7138f82cfec8f3caaed076456 · psychobunny/nodebb-plugin-blog-comments

Lets NodeBB act as a comments engine/widget for your blog - nodebb-plugin-blog-comments/library.js at d75e8aabe554dfd7138f82cfec8f3caaed076456 · psychobunny/nodebb-plugin-blog-comments

GitHub (github.com)

If you can, can you add console.log(err, result); after line 185?

Nick Allain

@julian It took a few days to have the admin add it, but here's the robust error:

Error: Please enter a longer title. Titles should contain at least 3 character(s).
at check (/home/ubuntu/nodebb/src/topics/create.js:253:10)
at Object.Topics.checkTitle (/home/ubuntu/nodebb/src/topics/create.js:239:3)
at Topics.post (/home/ubuntu/nodebb/src/topics/create.js:71:10)
at Callbackified (util.js:210:5)
at Object.wrapperCallback [as post] (/home/ubuntu/nodebb/src/promisify.js:46:23)
at /home/ubuntu/nodebb/node_modules/nodebb-plugin-blog-comments/library.js:178:11
at /home/ubuntu/nodebb/node_modules/async/dist/async.js:2955:19
at wrapper (/home/ubuntu/nodebb/node_modules/async/dist/async.js:268:20)
at iterateeCallback (/home/ubuntu/nodebb/node_modules/async/dist/async.js:421:28)
at /home/ubuntu/nodebb/node_modules/async/dist/async.js:321:20 undefined

Nick Allain

So I was able to solve the previously mentioned issue. Ghost.js looks for the title of a post in a SPAN with the id of "nbb-title". For some reason, that span was empty. I used handlebars and .innerHTML to write the title to that span.

However, I'm now back to what appears to be a header issue - but this time it might on the NodeBB side:

2021-01-24T18:44:04.051Z [4567/62671] - [33mwarn[39m: [nodebb-plugin-blog-comments] Origin (https://fp.opposite-lock.com) does not match hostUrls: *
2021-01-24T18:44:10.221Z [4567/62671] - [33mwarn[39m: [nodebb-plugin-blog-comments] Origin (https://fp.opposite-lock.com) does not match hostUrls: *
Error: You do not have enough privileges for this action.
    at Topics.post (/home/ubuntu/nodebb/src/topics/create.js:86:10)
    at processTicksAndRejections (internal/process/task_queues.js:97:5) undefined

Our nodeBB is hosted at: https://dev.opposite-lock.com
The blog is hosted at: https://fp.opposite-lock.com (this is exactly what is specified in the plugin.

julian

@nick-allain Hm... from the sounds of it, Ghost may be trying to publish the article as a guest user, which isn't right.

What version of Ghost are you running? It might be time for @psychobunny to step in...

Nick Allain

@julian I agree with your analysis. I'm on Ghost 3.41.2

@psychobunny - any ideas on things I could try?

psychobunny

hi @Nick-Allain this error message:
[nodebb-plugin-blog-comments] Origin (https://fp.opposite-lock.com) does not match hostUrls: *

suggests that in the ACP the link to your blog is actually set as *.

I know you attached a screenshot showing otherwise, but could you double check and refresh the page (in case for ex., there was an error saving?) to see? If it's still an issue, I wouldn't mind temporary admin access to have a look, feel free to DM me for that