Private forum plugin

NodeBB Development
  • Hello,

    I would like to create a private forum using NodeBB but it seems that there is no real complete option or plugin to achieve this.

    My idea is to add a new route that will be used before all. It will check if the user is connected (using the cookie).
    If not : the request is blocked and redirected to /login, if yes, the request is allowed.


    • A client send a request to NodeBB
    • The request passes through this first route
    • This route check if the user is logged in (based on its cookie)
      ⛔ if no, redirect it to /login (Only /login and /register are allowed)
      ✔ if yes, the request is allowed

    Can a NodeBB developper help me to:

    • Confirm if it is possible to create a plugin that will add a new route at top level
    • Where to add a route in order to be the first one called (I know Node.JS but not yet how to create a plugin for NodeBB).

    Thanks a lot!

  • You don't want to add a new route. What you want is to add a new middleware that applies to all routes except those related to login and register.

    This is possible with a plugin, and should be fairly simple, just adding the middleware in static:app.load handler.

  • @PitaJ said in Private forum plugin:

    What you want is to add a new middleware that applies to all routes except those related to login and register.

    Yes, you are totally right.

    Do you have in mind a plugin that add a middleware in static:app.load handler?
    It will be faster to clone and edit it 🙄

    I will take a look at the documentation.

  • I believe the quickstart example plugin has it. But it doesn't add a middleware. You'll want to look into the express documentation for that.

  • Hang on... you just want to redirect users to log in or register, right?

    Why don't you just restrict category permissions to registered-users only? Then you can use some client-side logic in the custom JS to send users to /login or /register if app.user.uid is 0.

  • @PitaJ I think I begin to understand the concept.
    Using the following plugin.json my script can use the express object to intercept each requests?

        "id": "nodebb-plugin-private-forum",
        "url": "httls://",
        "library": "./private-forum.js",
        "hooks": [
            {  "hook": "static:app.load", "method": "init" }

    I am not sure about the hook configuration.

    This is the kind of code I would like to use in my plugin:

    app.use(function(req, res, next) {
        if (req.session.user == undefined) {  
              return res.render('/login');
            else {
  • @julian I tried this already.
    But this is not secure, as the API can still be requested manually (for example user pages are public).

    Using a middleware I can filter all requests and only serve the login or register page.

    Front code is not secure because the user can remove it.

  • @flex you're on the right track with what you have there. Try it out!

    You'll probably want to redirect instead. Here's a helpful handler to assist:

  • Hello guys,

    I am starting to develop the plugin, but I did not understand how to add my code as a middleware and use the req object.
    For now it is not working because I don't know how to get the req object (undefinied).

    Here's my plugin:

    'use strict';
    const plugin = {};
    var winston = module.parent.require('winston');
    const helpers = require.main.require('./src/controllers/helpers');
    plugin.init = function (params, callback) {
            const { app, middleware, router } = params;
            var allowedPages=["/login", "/register", "/reset"];
            console.log(" Plugin Private Forum Initialized ");
            if (allowedPages.indexOf(req.url) < 0) {
                    helpers.notAllowed(req, res, next);
            } else {
                    console.log("PLUGIN PRIVATE FORUM: req.url="+req.url+", user is logged");
                    winston.log("PLUGIN PRIVATE FORUM: req.url="+req.url+", user is logged");
    module.exports = plugin;

    You can see it here:

    Of course there are errors:

    2020-06-03T15:55:06.696Z [4567/1731] - verbose: [plugins/fireHook] static:app.load
     Plugin Private Forum Initialized
    2020-06-03T15:55:06.733Z [4567/1731] - error: [plugins] Error executing 'static:app.load' in plugin 'nodebb-plugin-private-forum'
    2020-06-03T15:55:06.734Z [4567/1731] - error: ReferenceError: req is not defined
        at Object.plugin.init [as method] (/etc/nodebb/nodebb-plugin-private-forum/library.js:16:27)
        at /nodebb/src/plugins/hooks.js:176:30
        at /nodebb/node_modules/async/dist/async.js:2154:44
        at eachOfArrayLike (/nodebb/node_modules/async/dist/async.js:500:13)
        at eachOf (/nodebb/node_modules/async/dist/async.js:551:16)
        at awaitable (/nodebb/node_modules/async/dist/async.js:208:32)
        at Object.eachLimit (/nodebb/node_modules/async/dist/async.js:2216:16)
        at /nodebb/node_modules/async/dist/async.js:216:25
        at new Promise (<anonymous>)
        at Object.awaitable (/nodebb/node_modules/async/dist/async.js:211:20)

    Maybe @julian or @PitaJ you can help me on this?

  • This post is deleted!
  • FYI @julian and @PitaJ I have edited my last answer with new elements.

  • You need to wrap the middleware in a function and apply that function with app.use

  • @PitaJ thanks!

    Do you know if there is an helper to check if the user is connected?

  • @flex what do you mean by connected? You can check if a user is logged in by checking if req.uid is greater than (not equal to) 0.

  • Thank you again, now it seems to work well! 🙂

    Can you review the code and maybe test the module?
    I would like to be sure that I have not forgot something.

  • The plugin is now live on npm and should be automatically updated when I create a new release version on GitHub.

  • Do you know why there is still this message?



      "nbbpm": {
        "compatibility": "^1.11.2"
  • @flex as the plugin is installed by people, we will get information about whether it is stable (e.g. crashes NodeBB). If all is well, then you will automatically get a green check mark 😁

    I don't recall the exact logic that @baris used when he wrote it though

  • @julian ok, I was thinking that the nbbpm was here for that!
    Thank you for your answer!

Suggested Topics