Changing auth.js, NodeBB fails to start

Unsolved Technical Support
  • We're trying to setup a countermeasure to only block user authentication from the IP from which the attempts were made. In auth.js in async function User.auth.logAttempt = async function (uid, ip) we're trying to use the fact that the IP address is also taken into account and as such make it harder for a DOS attack. Only limiting user account access for the provided IP. But when we change the code in the file NodeBB fails to launch and the local website does not appear anymore. We're using Ubuntu with mongodb and start NodeBB with ./nodebb start but when we do ./nodebb stop we get: "NodeBB is already stopped". We've added the following line: const exists = await db.exists(lockout:${ip}); which is very similar to line 20 apart from the fact that we're now using the IP. Are we experiencing problems perhaps because our database does not log the IP?

    Furthermore, we're doing this as part of a minor project in university so I understand and don't want a complete solution to our problem. We're quite limited in time however so if you have a good understanding of the source code it would be very helpful to point us in the right direction or tell us that this will be too problematic to do in 20 hours of time. ๐Ÿ™‚ I'm currently trying to get a better understanding of the source code and I notice that it's quite complex!

    Are there steps necessary to take before changing the source code? Would it be better to build a plugin instead? What information have we missed?

  • I'm guessing you have a syntax error or something. Try running with ./nodebb dev so you can easily see any errors on startup.

    Line 20 is

    const exists = await db.exists(`lockout:${uid}`);

    The backticks are very important, as they make it a string. If you want to change it to check IP, you probably want

    const exists = await db.exists(`lockout:${ip}`);

    But I'd change it to check both

    const exists = await db.exists(`lockout:${uid}`) || await db.exists(`lockout:${ip}`);
  • @PitaJ Thank you for the straight answer! ๐Ÿ™‚ Much appreciated!

Suggested Topics

  • 0 Votes
    1 Posts

    Hey friends. So. I reinstalled my forums after I accidentally deleted some stuff I wasn't meant to, and now stuff is properly borked. I completely cleaned NodeBB and MongoDB from the system.

    I'm running off the master branch, and I'm fairly certain that the db search plugin is to blame, as the issue only occurs after installing that. I'm working off the master branch and upon restarting after activating that plugin, I'm met with the following error:

    2019-08-11T09:44:59.042Z [4567/8372] - error: Your NodeBB schema is out-of-date. Please run the following command to bring your dataset up to spec: 2019-08-11T09:44:59.042Z [4567/8372] - error: ./nodebb upgrade [cluster] Child Process (8372) has exited (code: 0, signal: null)

    That's fine, but when I go to run the upgrade, I get the following:

    [2018/11/26] Changing dbsearch mongodb search schema to use _id... 2019-08-11T09:46:07.205Z [4567/8392] - error: ns not found {"ok":0,"errmsg":"ns not found","code":26,"codeName":"NamespaceNotFound","name":"MongoError"} 2019-08-11T09:46:07.207Z [4567/8392] - error: ns not found {"ok":0,"errmsg":"ns not found","code":26,"codeName":"NamespaceNotFound","name":"MongoError"}

    and that leaves me pretty stuck. I've disabled the plugin for now, but I'd really like to know what's going on here.

  • 2 Votes
    5 Posts

    Maybe not a lot of interest in this due to complexity of deploying/configuring ModSecurity, combined w/absence of nodebb stack specific rulesets. Security is difficult so not much can be done about the deploy/config aspects but ModSecurity devs are starting to focus some efforts on the latter.

    For those interested, and willing to roll up their sleeves, development of node.js targeted attack ruleset is slated for next release of OWASP CRS, scheduled for Sept. 2019. More info here:

    some node.js unserialization + javascript RCE snippets by lifeforms ยท Pull Request #1487 ยท SpiderLabs/owasp-modsecurity-crs

    Libraries performing insecure unserialization: node-serialize: _$$ND_FUNC$$_ (CVE-2017-5941) funcster: __js_function See: Some generic snippets used: function() { new Function( eval( String.fromCharCode( Last two are used by, As base64 is sometimes (but not always) used to encode serialized values, use multiMatch and t:base64decode.


    GitHub (

    P.S.; Obviously ModSecurity can be deployed on Apache setups as well but my sense is that Nginx is the overwhelming favorite w/the nodebb community and I didn't want to start a new thread.

  • 0 Votes
    1 Posts

    Hello, just wondered if you could quickly point me in the right direction.

    I'm using the autoassigncategory plugin, however I would like it to auto remove the find/read permissions for newly created categories for guests and registered-public, do you know how I could do this or point me to the correct documentation?


  • 0 Votes
    7 Posts

    Your url value in config.json has to be the url at which you access your forum

  • 0 Votes
    12 Posts

    Hugs? ๐Ÿบ ? Those can be free