invalid csrf token & forbidden login errors

Moved Technical Support
  • Hi guys, I'm writing this topic hoping this will help other user that like me encountered this frustrating issue when upgrading NodeBB.

    First of all I have local development server, a Windows10 PC with NodeBB listening at, and a production server at Digital Ocean listening at a full qualified SSL domain at (note that port is masked by Nginx server)

    Well, for some reason, probably for my intervention, port number disappeared from url parameter, leaving only the IP in config.json looking like this:

        "url": "",
        "port": 4567

    So checking in various files in particular in line 123 of /src/controllers/index.js and in line of 97 of /src/start.js

    //    /src/controllers/index.js 
    var returnTo = (req.headers['x-return-to'] || '').replace(nconf.get('base_url'), '');
    //    /src/start.js
    nconf.set('base_url', urlObject.protocol + '//' +;

    I discovered that trailing port is mandatory in url config parameter.

    If you debug login.js you'll view that returnTo variable contains :4567/ value causing invalid csrf token server-side and forbidden client-side.

    For me make sense to omit port value on url parameter line because the presence of a port parameter. But I was wrong.

  • Ah, yes, that is potentially a stumbling block... port property is optional, if not specified, NodeBB will listen on port 4567. However the url property is the one that is referenced by NodeBB, and is used as the canonical reference to itself... so when somebody asks your forum what it is to be called, NodeBB will respond back with the value in url, so the port is required if you are accessing your forum with port number in url.

Suggested Topics