[Resolved] Socket UID doesn't match actual UID

Bug Reports
  • When trying to do practically anything in the ACP, I get errors like these:
    warn: [socket.io] Call to admin method ( admin.plugins.toggleActive ) blocked (accessed by uid 0)
    warn: [socket.io] Call to admin method ( admin.analytics.get ) blocked (accessed by uid 0)

    However, reading to the users page in the ACP, the actual user ID of my admin account is 2. Furthermore, there is no user with UID 0 at all.
    The above console warnings seem to be generated by line 43 of /src/socket.io/admin.js.

    This seems especially dangerous, considering that someone else end up with socket.uid = 2 and can do all the admin stuff it's blocking the actual admin from doing.

    I am currently running the latest version of 0.5.x, pulled freshly from GitHub.

    UPDATE: I asked @Dielan to test this as well, when he tried to enable a plugin the exact same warning appeared on the console:
    warn: [socket.io] Call to admin method ( admin.plugins.toggleActive ) blocked (accessed by uid 0)
    Noteworthy is that both of us are apparently UID 0.

    UPDATE 2: When editing a thread, the edit button is occasionally unresponsive, but more importantly when we try to save the edited thread a popup appears reading "You don't seem to be logged in." Is UID 0 the UID used for guests?

    Subforums visible only to staff and the link to the ACP in the header do show up, though.
    And no, the problem does not disappear when relogging, hard-refreshing or restarting NodeBB.

  • Resolved! Turned out that when setting websockets to use a subdomain in the ACP the cookie domain isn't automatically adjusted accordingly, so the cookie express.sid was only available on example.com, whilest websockets were on socket.expample.com.

    Setting cookie-domain to .example.com in config.json fixes this.

  • @Xiph said:

    Is UID 0 the UID used for guests?

    Yes all non logged in users get a uid of 0 for socket calls.

  • For some reason socket.example.com/socket.io/1/?t=[a whole bunch of numbers] doesn't set CORS headers half of the time when I start NodeBB, causing any and all WebSocket connections to fail... but I guess that's a socket.io issue, not a NodeBB one.

Suggested Topics