Middleware - Correct Usage

yasas

I have a few admin only routes in the plugin that I am developing.

The following are the middleware I have used.

const adminMiddlewares = [
		middleware.ensureLoggedIn,
		middleware.admin.checkPrivileges,
	];

However, the problem that I am running into the following problem.
When I have been logged in for a while (via an admin account), the routes are not available to me unless I sign out and re-login.
(When this happens, UI shows that I am logged)

Does this have something to do the session token expiry time?

If this is the case, is there any workaround this such as prompting the users to the login again?

Any insight would be appreciated.
Thanks!

EDIT - Additional Info

From my understanding, Admin-only features such as reporting/deleting messages, banning accounts etc works without prompting me to a login even after I've been logged in for a while. However, the routes that I add in the plugin I develop don't seem to behave the same way

julian

@Yasas-Wijetilake Are you using routeHelpers.setupAdminPageRoute? You probably should if only because it's standardised.

It sounds like you're hitting the admin relogin prompt.

It should be sending you to /login so you can reauthenticate again.

yasas

Hi @julian
Thanks for the response.

The problem I have are with API routes. I am using the usual routeHelpers.setupApiRoute to setup these routes with the two middleware I have mentioned earlier.

julian

@Yasas-Wijetilake In that case, it sounds like you're using cookie-based auth? I think token based auth doesn't step through that code...

yasas

Hi @julian
I am not using anything outside what NodeBB already provides.

Regarding the API endpoints, I am assigning custom categories to topics. It's admin-only and they can assign categories by navigating via ️ Topic Tools drop down. Then a dialog box opens with all possible categories. These categories are retrieved from an API endpoint which uses the middleware middleware.ensureLoggedIn and middleware.admin.checkPrivileges .

However, the API endpoint does not return data if the admin has been logged in for too long.

I wonder if I am using the above two middleware properly. This is the problem that I have.

julian

I think I see the issue here.

That line checks if it's an API response (which when using setupApiRoute, is set to true), and returns a simple 401 Unauthorized when the admin timeout has passed. Is this what you are seeing?

If that is the case, it sounds like we should be:

• passing something more standard
• gracefully handling this in the API module

Let me look into this further.

---

Edit: Looking at the list of http response codes, 401 Unauthorized seems to be the best candidate here, so that will remain. I'll update the API module to handle this more gracefully.

julian

N.B. There is a reason why some admin actions continue to function despite the admin relogin threshold having passed. A lot of admin functions are still using our websockets implementation, which does not have such a restriction.

API v3 calls to admin-level functions do.

julian

@Yasas-Wijetilake I have now updated the latest core (v3) to handle a 401 response with a prompt to log in.

If you're on v2 (which I imagine you are), you'll have to handle the promise rejection similarly.

It'd be something like this:

try {
  const body = await api.get(...
} catch (e) {
  if (e.message === 'Unauthorized') {
    ajaxify.go('login');
  }
}

yasas

Hi @julian
Yes, you're right. That is the problem (401).
And yes, I am on V2.

Thanks that's quite the detailed answer. Super helpful! Let me try this

julian

Wonderful! Glad to help.