Middleware - Correct Usage

Solved Plugin Development
  • I have a few admin only routes in the plugin that I am developing.

    The following are the middleware I have used.

    const adminMiddlewares = [

    However, the problem that I am running into the following problem.
    When I have been logged in for a while (via an admin account), the routes are not available to me unless I sign out and re-login.
    (When this happens, UI shows that I am logged)

    Does this have something to do the session token expiry time?

    If this is the case, is there any workaround this such as prompting the users to the login again?

    Any insight would be appreciated.

    EDIT - Additional Info

    From my understanding, Admin-only features such as reporting/deleting messages, banning accounts etc works without prompting me to a login even after I've been logged in for a while. However, the routes that I add in the plugin I develop don't seem to behave the same way

  • @Yasas-Wijetilake Are you using routeHelpers.setupAdminPageRoute? You probably should if only because it's standardised.

    It sounds like you're hitting the admin relogin prompt.

    It should be sending you to /login so you can reauthenticate again.

  • Hi @julian
    Thanks for the response.

    The problem I have are with API routes. I am using the usual routeHelpers.setupApiRoute to setup these routes with the two middleware I have mentioned earlier.

  • yasasY yasas marked this topic as a question on
  • @Yasas-Wijetilake In that case, it sounds like you're using cookie-based auth? I think token based auth doesn't step through that code...

  • Hi @julian
    I am not using anything outside what NodeBB already provides.

    Regarding the API endpoints, I am assigning custom categories to topics. It's admin-only and they can assign categories by navigating via ⚙️ Topic Tools drop down. Then a dialog box opens with all possible categories. These categories are retrieved from an API endpoint which uses the middleware middleware.ensureLoggedIn and middleware.admin.checkPrivileges .

    However, the API endpoint does not return data if the admin has been logged in for too long.

    I wonder if I am using the above two middleware properly. This is the problem that I have.

  • I think I see the issue here.

    That line checks if it's an API response (which when using setupApiRoute, is set to true), and returns a simple 401 Unauthorized when the admin timeout has passed. Is this what you are seeing?

    If that is the case, it sounds like we should be:

    • passing something more standard
    • gracefully handling this in the API module

    Let me look into this further.

    Edit: Looking at the list of http response codes, 401 Unauthorized seems to be the best candidate here, so that will remain. I'll update the API module to handle this more gracefully.

  • N.B. There is a reason why some admin actions continue to function despite the admin relogin threshold having passed. A lot of admin functions are still using our websockets implementation, which does not have such a restriction.

    API v3 calls to admin-level functions do.

  • @Yasas-Wijetilake I have now updated the latest core (v3) to handle a 401 response with a prompt to log in.

    If you're on v2 (which I imagine you are), you'll have to handle the promise rejection similarly.

    It'd be something like this:

    try {
      const body = await api.get(...
    } catch (e) {
      if (e.message === 'Unauthorized') {
  • Hi @julian
    Yes, you're right. That is the problem (401).
    And yes, I am on V2.

    Thanks that's quite the detailed answer. Super helpful! Let me try this

  • yasasY yasas has marked this topic as solved on
  • Wonderful! 😄 Glad to help.

Suggested Topics

  • 0 Votes
    1 Posts

    A new question concerning the development of my Backblaze B2 storage plugin:

    I kind of have it working now, where files are uploaded and filenames returned properly, though it's lacking the sophisticated ways of setting host, bucket and credentials as the old s3 plugins (I'm still struggling figuring out what the hooks and functions are available to a plugin developer, since the documentation doesn't seem to be very updated and detailed).

    I noticed there is this button to export personal data, including uploaded files. How should I possibly integrate this functionality into my plugin?


  • 0 Votes
    4 Posts

    It is actually something nodebb specific, when building the active theme nodebb core looks for the overrides.scss file. This file needs to be imported in a specific order for it to work.

  • 0 Votes
    9 Posts

    @eeeee Probably local to the user computer 🙂

    You can generally use non-http URIs for launching different applications. If you were ever redirected from a desktop or mobile app to a browser to log in you've probably seen this in action. Windows actually uses some internally and usually transparently for the user (for example, to abuse their monopoly, MS started using microsoft-edge: scheme instead of https: in some links in Windows to only allow opening them in Edge. They didn't have to build some highly custom mechanism, just restrict other apps from registering this scheme), but usually can be just registered by applications you install. What they do also depends on the application - for example, I think calculator: only launches the calculator app (or at least the obvious way to write math doesn't work), but others can launch specific actions and even pass some information (for example, authentication token for the web login use case I mentioned). For example Spotify allows linking to artists, playlists, albums etc. via spotify: scheme and steam supports doing a ton of things via URI, including launching and even installing/uninstalling games.

    All you need is an <a> tag with the right href= set. So yeah, you can put that kind of a link in a widget, but if they wanted to have it be an action under a post, especially if it was supposed to include some information from the post, it wouldn't be that simple.
    (side note: NodeBB doesn't allow links using non-standard schemes in markdown, so you can't just put something like this in a post or signature)

  • 0 Votes
    6 Posts

    @baris Thanks for the confirmation

  • Tipping plugin

    Plugin Development
    0 Votes
    2 Posts

    @julia123 Hi, and welcome.

    As far as I know, there is no existing plugin that does this natively, so one would need to be developed. However, there are some plugins that come "close" such as @nodebb/nodebb-plugin-user-level which could be forked and modified to suit.

    It might be best for the devs themselves to respond here, as this will likely be custom work.