About How To Generate Bearer Tokens By Using UID + Password

Systemd-K

If you have trouble with generate bearer tokens by UID and password, you may try to upgrade and restart nodebb, and use curl -d "password=<yourpasswordhere>" -H "Content-Type: application/x-www-form-urlencoded" -X POST https://yourdomain/api/v1/users/<UID>/tokens

Work for me.

julian

You don't get a JWT, you generate one with a secret that only you and the forum have. Learn more at https://jwt.io. Good luck!

Systemd-K

@julian

Thank you!

I have read some information about JWT and the document of nodebb write API but I still not sure how can I generate one.

Could you give me a example of how to generate one with the user name, password and 2FA token?

Do I need to post them to server?

julian

Have you read the documentation in jwt.io? Which parts are confusing to you?

Systemd-K

@julian

I have read it...

Now I know how to use a JWT create in admin panel, but I don`t know how to create one using username and password and 2FA Token. (via API)

Systemd-K

@julian

Hi

I gave up to use JWT, I think bearer tokens will be easier, but I still cannot get it work.

I tried to to use

curl --data "123456" https://domain/api/v1/users/125/tokens

and

curl --data "password=123456" https://domain/api/v1/users/125/tokens

but I can only get a error message.

{"code":"not-authorised","message":"A valid login session was not found. Please log in and try again.","params":{}}

Could you help me?

dbf

@Systemd-K
Indeed, I believe there is a small regex bug in the write-api.

req.originalUrl.match(/^\/api\/v\d+\/users\/(\d+)\/tokens$/))

should be (or something equivalent)

req.originalUrl.match(/^(.*?)\/api\/v\d+\/users\/(\d+)\/tokens$/)

My configuration of NodeBB lies behind a nginx proxy, where its base URL is www.example.com/forum. In the config.json I set the URL to its designated base URL in order to also access the forum itself (load css properly, csrf-token, etc), e.g.

{ "url":"http://www.example.com/forum", "port":4567 }

The req.originalUrl will be /forum/api/v1/users/:uid after any request, instead of the expected URL according to the regex /^\/api\/v\d+\/users\/(\d+)\/tokens$/

I modified the regex and it's working like a charm now.

julian

@dbf Are you saying write-api doesn't work with subfolder installs?

dbf

@julian sadly ..

My configuration is behind a nginx proxy, where the NodeBB install is on a seperate server but part of the domains URL, e.g. www.example.com/bb

The window.config is also showing { .. relative_path: '/bb' .. } correctly, though I'm not using NodeBB's frontend nor an iframe. I've implemented the forum within the main DOM of the corporate website and wrote a custom requirejs frontend where the forum, chats and group-chats are completely integrated with the DOM itself and doesn't get stuck on usability due to the iframe. It's almost as simple as requesting the templates under /assets and request the data, render, translate and add or remove some bits from the compiled view.

Back to write-api

The config.json used

    "url":"http://www.example.com/bb",
    "port":4567,
    "secret": "587c152e-...",
    "database": "mongo",
    "mongo": {
        "host": "127.0.0.1",
        "port": "27017",
        ....
    },
    "socket.io": {
    	"origins": "*:*"
   },
   etc ..

Nginx proxy is configured with proxy_pass "locally"

location ^~ /bb {
    proxy_pass                                      http://nodebb-server-ip:4567/bb;
    proxy_http_version                              1.1;
    proxy_set_header Upgrade                        $http_upgrade;
    proxy_set_header Connection                     "upgrade";


    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_set_header X-NginX-Proxy true;

    proxy_redirect                                  off;

    proxy_read_timeout                              1800;
    client_max_body_size                            4G;
}

Simple test at the beginning of nodebb-plugins-write-api/routes/v1/middleware.js

Middleware.requireUser = function(req, res, next) {
        var writeApi = require.main.require('nodebb-plugin-write-api');
        var routeMatch;

        console.log('req.originalUrl: '+req.originalUrl);
        console.log('matching: [/^\/api\/v\d+\/users\/(\d+)\/tokens$/)]');
        console.log(req.originalUrl.match(/^\/api\/v\d+\/users\/(\d+)\/tokens$/));
        console.log('matching: [/^(.*?)\/api\/v\d+\/users\/(\d+)\/tokens$/)]');
        console.log(req.originalUrl.match(/^(.*?)\/api\/v\d+\/users\/(\d+)\/tokens$/));

Gives following output in dev mode:

20/6 09:28:14 [8841] - info: NodeBB Ready
20/6 09:28:14 [8841] - info: Enabling 'trust proxy'
20/6 09:28:14 [8841] - info: NodeBB is now listening on: 0.0.0.0:4567

req.originalUrl: /bb/api/v1/users/99/tokens
matching: [/^/api/vd+/users/(d+)/tokens$/)]
null

matching: [/^(.*?)/api/vd+/users/(d+)/tokens$/)]
[ '/bb/api/v1/users/99/tokens',
  '/bb',
  '99',
  index: 0,
  input: '/bb/api/v1/users/99/tokens' ]

The routeMatch index for getting the :uid then changes from [1] to [2]

// If token generation route is hit, check password instead
var uid = routeMatch[2];

There is probably a better solution for (.*?) instead.

dbf

Another thing ..

If the option Enable authentication via JSON Web Tokens is checked in the admin panel of the Write API, the request to /v1/users/:uid/tokens with password in the content body never gets hit, so it's not possible to choose between the two.

So either

• uncheck authentication via JSON Web Tokens and use password based request for tokens or ..
• configure JSON Web Token Secret to request tokens and forget about password based generation.

It doesn't say anything about it in the API's documentation

• POST /:uid/tokens
  Creates a new user token for the passed in uid
  Accepts: No parameters normally, will accept password in lieu of Bearer token
  Can be called with an active token for that user
  This is the only route that will allow you to pass in password in the request body. Generate a new token and then use
  the token in subsequent calls.