Help with SSO plugin (my first plugin)

markcarey

I am in the earlier stages of writing my first plugin, a SSO plugin that is based off of the gist that @julian provided at https://community.nodebb.org/topic/812/using-php-sessions-with-nodebb/23:

How to create a login override plugin

How to create a login override plugin. GitHub Gist: instantly share code, notes, and snippets.

Gist (gist.github.com)

My plugin is at:
https://github.com/contentblvd/nodebb-plugin-sso-session

And the library.js is almost identical to the gist above. The only change I made it to hardcode the uid variable, for early testing purposes. My thought was that it would auto login to the uid=1 user. (Later I plan to add the real logic for the login)

I have activated the plugin, but nothing happens, nothing shows in the logs either (./nodebb log). As suggested by @julian in the thread linked above, I am trying to use the action:auth.overrideLogin hook.

I am pretty sure I am missing something (or several things!). Any guidance is greatly appreciated.

markcarey

Okay, got past the first issue (after learning how to to do ./nodebb dev ) -- I needed to require winston in library.js.

Now I get an error when I try to submit the login form:

9/9 10:53 [2522] - error: /login
 Error: Can't set headers after they are sent.
    at ServerResponse.OutgoingMessage.setHeader (_http_outgoing.js:335:11)
    at ServerResponse.header (/path/to/NodeBB/node_modules/express/lib/response.js:718:10)
    at ServerResponse.send (/path/to/NodeBB/node_modules/express/lib/response.js:163:12)
    at /path/to/NodeBB/src/controllers/authentication.js:144:27
    at Strategy.strategy.error (/path/to/NodeBB/node_modules/passport/lib/middleware/authenticate.js:333:18)
    at Strategy.authenticate (/path/to/NodeBB/node_modules/passport-local/lib/strategy.js:93:17)
    at attempt (/path/to/NodeBB/node_modules/passport/lib/middleware/authenticate.js:341:16)
    at authenticate (/path/to/NodeBB/node_modules/passport/lib/middleware/authenticate.js:342:7)
    at continueLogin (/path/to/NodeBB/src/controllers/authentication.js:196:4)
    at authenticationController.login (/path/to/NodeBB/src/controllers/authentication.js:121:10)
9/9 10:53 [2522] - error: Error: Can't set headers after they are sent.
    at ServerResponse.OutgoingMessage.setHeader (_http_outgoing.js:335:11)
    at ServerResponse.header (/path/to/NodeBB/node_modules/express/lib/response.js:718:10)
    at ServerResponse.send (/path/to/NodeBB/node_modules/express/lib/response.js:163:12)
    at defaultFn (/path/to/NodeBB/src/middleware/middleware.js:314:10)
    at /path/to/NodeBB/src/middleware/middleware.js:362:7
    at /path/to/NodeBB/public/src/modules/translator.js:160:6
    at /path/to/NodeBB/public/src/modules/translator.js:180:4
    at /path/to/NodeBB/public/src/modules/translator.js:226:6
    at /path/to/NodeBB/public/src/modules/translator.js:291:4
    at fs.js:334:14
Error: Can't set headers after they are sent.
    at ServerResponse.OutgoingMessage.setHeader (_http_outgoing.js:335:11)
    at ServerResponse.header (/path/to/NodeBB/node_modules/express/lib/response.js:718:10)
    at ServerResponse.send (/path/to/NodeBB/node_modules/express/lib/response.js:163:12)
    at defaultFn (/path/to/NodeBB/src/middleware/middleware.js:314:10)
    at /path/to/NodeBB/src/middleware/middleware.js:362:7
    at /path/to/NodeBB/public/src/modules/translator.js:160:6
    at /path/to/NodeBB/public/src/modules/translator.js:180:4
    at /path/to/NodeBB/public/src/modules/translator.js:226:6
    at /path/to/NodeBB/public/src/modules/translator.js:291:4
    at fs.js:334:14
9/9 10:53 [2522] - info: [app] Shutdown (SIGTERM/SIGINT) Initialised.

Thoughts?

julian

https://github.com/contentblvd/nodebb-plugin-sso-session/blob/master/library.js#L19-L24

You cannot call next(); twice here, it's either called for success or failure, and here, you're calling it for both.

It's supposed to be wrapped in a conditional

markcarey

Despite the error in the logs above, I just noticed that the plugin did do its thing, it logged in uid=1 regardless of what what user/pass was submitted.

So far, so good. but not quite the flow I was hoping for.

Here is what I am trying to achieve, maybe there is a better hook to use:

• user signs in our app, which is on a different subdomain from nodeBB (ie. app = app.domain.com and nodeBB = nodebb.domain.com)
• our app adds a session cookie for .domain.com (ensuring that other subdomains can access the cookie)
• user arrives at nodebb.domain.com
• plugin immediately gets triggered, and checks for the app session cookie
• if found, plugin does work to validate the session and identify the user
• if valid, login matching user or register new nodeBB user
• user logged in

All without the user needing to click the Login link, of course.

Any suggestions? The plugin, as it stands now seems to require a post of the local login form to get triggered, whereas ideally the following logic would happen: IF nodeBB session exists, use it ELSE: look for app session cookie as described above...

markcarey

@julian Thanks, I understand that part better now. I added conditionals and now that error goes away. It seems to be working now as designed for that hook -- any suggestions regarding other hooks to use, to achieve the flow I described in my previous message in this thread?

julian

I'd add some client side code that checks for the cookie existing, and react (redirect) appropriately