About How To Generate Bearer Tokens By Using UID + Password


  • GNU/Linux

    If you have trouble with generate bearer tokens by UID and password, you may try to upgrade and restart nodebb, and use curl -d "password=<yourpasswordhere>" -H "Content-Type: application/x-www-form-urlencoded" -X POST https://yourdomain/api/v1/users/<UID>/tokens

    Work for me.


  • Admin

    You don't get a JWT, you generate one with a secret that only you and the forum have. Learn more at https://jwt.io. Good luck!


  • GNU/Linux

    @julian

    Thank you!

    I have read some information about JWT and the document of nodebb write API but I still not sure how can I generate one.

    Could you give me a example of how to generate one with the user name, password and 2FA token?

    Do I need to post them to server?


  • Admin

    Have you read the documentation in jwt.io? Which parts are confusing to you?


  • GNU/Linux

    @julian

    I have read it...

    Now I know how to use a JWT create in admin panel, but I don`t know how to create one using username and password and 2FA Token. (via API)


  • GNU/Linux

    @julian

    Hi

    I gave up to use JWT, I think bearer tokens will be easier, but I still cannot get it work.

    I tried to to use

    curl --data "123456" https://domain/api/v1/users/125/tokens

    and

    curl --data "password=123456" https://domain/api/v1/users/125/tokens

    but I can only get a error message.

    {"code":"not-authorised","message":"A valid login session was not found. Please log in and try again.","params":{}}

    Could you help me?



  • @Systemd-K
    Indeed, I believe there is a small regex bug in the write-api.

    req.originalUrl.match(/^\/api\/v\d+\/users\/(\d+)\/tokens$/))

    should be (or something equivalent)

    req.originalUrl.match(/^(.*?)\/api\/v\d+\/users\/(\d+)\/tokens$/)

    My configuration of NodeBB lies behind a nginx proxy, where its base URL is www.example.com/forum. In the config.json I set the URL to its designated base URL in order to also access the forum itself (load css properly, csrf-token, etc), e.g.

    { "url":"http://www.example.com/forum", "port":4567 }

    The req.originalUrl will be /forum/api/v1/users/:uid after any request, instead of the expected URL according to the regex /^\/api\/v\d+\/users\/(\d+)\/tokens$/

    I modified the regex and it's working like a charm now.


  • Admin

    @dbf Are you saying write-api doesn't work with subfolder installs?



  • @julian sadly ..

    My configuration is behind a nginx proxy, where the NodeBB install is on a seperate server but part of the domains URL, e.g. www.example.com/bb

    The window.config is also showing { .. relative_path: '/bb' .. } correctly, though I'm not using NodeBB's frontend nor an iframe. I've implemented the forum within the main DOM of the corporate website and wrote a custom requirejs frontend where the forum, chats and group-chats are completely integrated with the DOM itself and doesn't get stuck on usability due to the iframe. It's almost as simple as requesting the templates under /assets and request the data, render, translate and add or remove some bits from the compiled view.

    Back to write-api

    The config.json used

        "url":"http://www.example.com/bb",
        "port":4567,
        "secret": "587c152e-...",
        "database": "mongo",
        "mongo": {
            "host": "127.0.0.1",
            "port": "27017",
            ....
        },
        "socket.io": {
        	"origins": "*:*"
       },
       etc ..
    

    Nginx proxy is configured with proxy_pass "locally"

    location ^~ /bb {
        proxy_pass                                      http://nodebb-server-ip:4567/bb;
        proxy_http_version                              1.1;
        proxy_set_header Upgrade                        $http_upgrade;
        proxy_set_header Connection                     "upgrade";
    
    
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
    
        proxy_redirect                                  off;
    
        proxy_read_timeout                              1800;
        client_max_body_size                            4G;
    }
    

    Simple test at the beginning of nodebb-plugins-write-api/routes/v1/middleware.js

    Middleware.requireUser = function(req, res, next) {
            var writeApi = require.main.require('nodebb-plugin-write-api');
            var routeMatch;
    
            console.log('req.originalUrl: '+req.originalUrl);
            console.log('matching: [/^\/api\/v\d+\/users\/(\d+)\/tokens$/)]');
            console.log(req.originalUrl.match(/^\/api\/v\d+\/users\/(\d+)\/tokens$/));
            console.log('matching: [/^(.*?)\/api\/v\d+\/users\/(\d+)\/tokens$/)]');
            console.log(req.originalUrl.match(/^(.*?)\/api\/v\d+\/users\/(\d+)\/tokens$/));
    

    Gives following output in dev mode:

    20/6 09:28:14 [8841] - info: NodeBB Ready
    20/6 09:28:14 [8841] - info: Enabling 'trust proxy'
    20/6 09:28:14 [8841] - info: NodeBB is now listening on: 0.0.0.0:4567
    
    req.originalUrl: /bb/api/v1/users/99/tokens
    matching: [/^/api/vd+/users/(d+)/tokens$/)]
    null
    
    matching: [/^(.*?)/api/vd+/users/(d+)/tokens$/)]
    [ '/bb/api/v1/users/99/tokens',
      '/bb',
      '99',
      index: 0,
      input: '/bb/api/v1/users/99/tokens' ]
    

    The routeMatch index for getting the :uid then changes from [1] to [2]

    // If token generation route is hit, check password instead
    var uid = routeMatch[2];
    

    There is probably a better solution for (.*?) instead.



  • Another thing ..

    If the option Enable authentication via JSON Web Tokens is checked in the admin panel of the Write API, the request to /v1/users/:uid/tokens with password in the content body never gets hit, so it's not possible to choose between the two.

    So either

    • uncheck authentication via JSON Web Tokens and use password based request for tokens or ..
    • configure JSON Web Token Secret to request tokens and forget about password based generation.

    It doesn't say anything about it in the API's documentation

    • POST /:uid/tokens
      Creates a new user token for the passed in uid
      Accepts: No parameters normally, will accept password in lieu of Bearer token
      Can be called with an active token for that user
      This is the only route that will allow you to pass in password in the request body. Generate a new token and then use
      the token in subsequent calls.

Log in to reply
 

Looks like your connection to NodeBB was lost, please wait while we try to reconnect.