@julian Any updates on nodebb's CSP implementation? I'd like to avoid unsafe-* for obvious reasons.
Restricting Write API Access
Laz last edited by
Hello again, people must be getting annoyed with my questions by this point.
I was wondering if it is possible to setup the write API plugin so that a user can only have access to certain routes. Specifically, I am looking to create a user token, that only has the ability to create other users. I have a third party application that someone can login to the forums with and, if they lack an account, create new accounts with.
Due to how the write API functions, or at least from what I can gather, once they have a token they can do anything their user can do. Is there a way to achieve what I am attempting, or perhaps a better method?
P.S. As a side note, and probably something that should be it's own topic, is it possible to login to the API/forums via a token based system? I want a user to be able to login with their username and password then store a token or something similar that will 'keep them logged in' as it were as long as the token is valid. I'd imagine doing this by storing the token, then logging in via the token itself, instead of a username/password.
There's no easy way to do this. What you could do is essentially create a new plugin with a paired-down write API.
I assume this is for a bot?
Laz last edited by
If it were a bot, I could assign it a token from the ACP. I am creating a third party application that interfaces with NodeBB. It needs to be able to inherently create new user accounts, and then also login as them (which is where logging in via a token would come into play). I suppose it would be possible to create an account via a socket connection directly, but I imagine I could have uses to some of the write API methods anyways.
Is it possible to programmatically create user tokens for the Write API? If that's the case, I could use a socket to create the account, and then generate a JWT token specifically for that user rather than hacking something into the application itself. That would leave the only hurdle being logging in, but at that point I could just store encrypted login credentials in a config file, and login to the API using https://github.com/NicolasSiver/nodebb-plugin-ns-login