Always Guest User with XHR
-
@nick-allain You're sort of on the right track... I'll ping @psychobunny for his thoughts, but in the meantime, it sounds like your request to ghost isn't authenticated, possibly because it is not sending the appropriate cookie through the request.
As that page you link to suggests, the API uses cookie authentication first and foremost, which is why when you access the comments/get link from your browser, you are logged in.
The plugin code looks ok, in that it executes the XHR
withCredentials
, but can you confirm that that is the case in the dev tools? -
Thanks @julian - your message prompted me to look at the cookie itself. Chrome DevTools is flagging an issue that I didn't previously see.
This Set-Cookie was blocked because it had the "SameSite=strict" attribute but came form a cross-site response which was not the response to a top-level navigation.
To try to answer you're question, here's what my headers look like. I will freely admit, I'm a little over my head on this! I'm a marketing guy trying to help out his car community
Request:
GET /comments/get/5fe3b20991b86c0039a9800e/0 HTTP/1.1
Host: dev.opposite-lock.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: /
Origin: https://nicholasdallain-2.ghost.io
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://nicholasdallain-2.ghost.io/a-new-test-post/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9Response:
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 29 Dec 2020 00:57:44 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 5641
Connection: keep-alive
X-DNS-Prefetch-Control: off
Expect-CT: max-age=0
X-Frame-Options: SAMEORIGIN
X-Download-Options: noopen
X-Content-Type-Options: nosniff
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0
Referrer-Policy: strict-origin-when-cross-origin
X-Powered-By: Oppositelock
Content-Security-Policy: frame-ancestors 'self'
set-cookie: _csrf=qVrBDseAYi8zRdAqIhsffeBz; Path=/; HttpOnly; Secure; SameSite=Strict
Access-Control-Allow-Origin: https://nicholasdallain-2.ghost.io
Access-Control-Allow-Headers: X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept
Access-Control-Allow-Credentials: true
ETag: W/"1609-C37JNRX5kkSgV4I14TWs+cPivkE" -
@nick-allain ah, you'll have to set the cookie domain in the ACP to contain both domains.
Careful what value you set, if you set the wrong one, you might lock yourself out of the ACP!
-
@nick-allain Are you able to make changes to the plugin files? It looks like the error is coming from the blog-comments plugin itself.
nodebb-plugin-blog-comments/library.js at d75e8aabe554dfd7138f82cfec8f3caaed076456 · psychobunny/nodebb-plugin-blog-comments
Lets NodeBB act as a comments engine/widget for your blog - nodebb-plugin-blog-comments/library.js at d75e8aabe554dfd7138f82cfec8f3caaed076456 · psychobunny/nodebb-plugin-blog-comments
GitHub (github.com)
If you can, can you add
console.log(err, result);
after line185
? -
@julian It took a few days to have the admin add it, but here's the robust error:
Error: Please enter a longer title. Titles should contain at least 3 character(s).
at check (/home/ubuntu/nodebb/src/topics/create.js:253:10)
at Object.Topics.checkTitle (/home/ubuntu/nodebb/src/topics/create.js:239:3)
at Topics.post (/home/ubuntu/nodebb/src/topics/create.js:71:10)
at Callbackified (util.js:210:5)
at Object.wrapperCallback [as post] (/home/ubuntu/nodebb/src/promisify.js:46:23)
at /home/ubuntu/nodebb/node_modules/nodebb-plugin-blog-comments/library.js:178:11
at /home/ubuntu/nodebb/node_modules/async/dist/async.js:2955:19
at wrapper (/home/ubuntu/nodebb/node_modules/async/dist/async.js:268:20)
at iterateeCallback (/home/ubuntu/nodebb/node_modules/async/dist/async.js:421:28)
at /home/ubuntu/nodebb/node_modules/async/dist/async.js:321:20 undefined -
So I was able to solve the previously mentioned issue. Ghost.js looks for the title of a post in a SPAN with the id of "nbb-title". For some reason, that span was empty. I used handlebars and .innerHTML to write the title to that span.
However, I'm now back to what appears to be a header issue - but this time it might on the NodeBB side:
2021-01-24T18:44:04.051Z [4567/62671] - [33mwarn[39m: [nodebb-plugin-blog-comments] Origin (https://fp.opposite-lock.com) does not match hostUrls: * 2021-01-24T18:44:10.221Z [4567/62671] - [33mwarn[39m: [nodebb-plugin-blog-comments] Origin (https://fp.opposite-lock.com) does not match hostUrls: * Error: You do not have enough privileges for this action. at Topics.post (/home/ubuntu/nodebb/src/topics/create.js:86:10) at processTicksAndRejections (internal/process/task_queues.js:97:5) undefined
Our nodeBB is hosted at: https://dev.opposite-lock.com
The blog is hosted at: https://fp.opposite-lock.com (this is exactly what is specified in the plugin. -
@nick-allain Hm... from the sounds of it, Ghost may be trying to publish the article as a guest user, which isn't right.
What version of Ghost are you running? It might be time for @psychobunny to step in...
-
@julian I agree with your analysis. I'm on Ghost 3.41.2
@psychobunny - any ideas on things I could try?
-
hi @Nick-Allain this error message:
[nodebb-plugin-blog-comments] Origin (https://fp.opposite-lock.com) does not match hostUrls: *
suggests that in the ACP the link to your blog is actually set as
*
.I know you attached a screenshot showing otherwise, but could you double check and refresh the page (in case for ex., there was an error saving?) to see? If it's still an issue, I wouldn't mind temporary admin access to have a look, feel free to DM me for that