[nodebb-plugin-session-sharing] Session Sharing

NodeBB Plugins
  • Session Sharing for NodeBB

    In a nutshell, this plugin allows you to share sessions between your application and NodeBB. You'll need to set a
    special cookie with a common domain, containing a JSON Web Token with user data. If sufficient, this plugin will
    handle the rest (user registration/login).

    How is this related to SSO?

    Single Sign-On allows a user to log into NodeBB through a third-party service. It is best (and most securely)
    achieved via OAuth2 provider, although other alternatives exist. An example of a single sign-on plugin is

    Single sign-on does not allow a session to become automatically created if a login is made to another site.
    This is the one misconception that people hold when thinking about SSO and session sharing.

    This session sharing plugin will allow NodeBB to automatically log in users (and optionally, log out users)
    if the requisite shared cookie is found (more on that below).

    You can use this plugin and single sign-on plugins together, but they won't be seamlessly integrated.

    How does this work?

    This plugin checks incoming requests for a shared cookie that is saved by your application when a user
    logs in. This cookie contains in its value, a specially crafted signed token containing unique identifying
    information for that user.

    If the user can be found in NodeBB, that user will be logged in. If not, then a user is created, and that
    unique indentifier is saved for future reference.

    Read more at the project repository


  • This is fantastic! Just what I was looking for. Thanks!!

  • This is awesome.Thanks. Can it be used to share sessions between two nodebb instances?

  • @manan That would be quite tricky, but doable. The exact implementation depends on the relationship between the two boards, but either way, you're looking at custom work as this plugin won't do this out of the box.

    Thanks @jeffbski!

  • This sounds perfect -- for our game (forum at http://forum.traverse.world/) I'd love to authenticate on forum, and share session with the game.

    Can I use this plugin to share session in that direction? (from nodeBB to app)

  • @xulture If your game can read the mongodb database the forum uses (or Redis), then you can use the express.sid cookie to retrieve their session from the NodeBB database and log them in that way.

  • That's perfect thanks!

    So we'll just need to launch the game from forum, via custom URL protocol handler, to pass the cookie, and re-validate on the server when game client connects to game server (that can query db via nodejs)

  • v1.0.13 released

    • [Bug] Fixed issue where if a user was created by the session sharing plugin and subsequently deleted (in the ACP), a new login through session-sharing would result in an endless loop as the user reference was missing. A new user is now created.
  • v2.0.0 Released

    • NodeBB v1.0.1+ compatible, and hooks into core's IP blacklist functionality. If a blacklisted IP has a session cookie, they will not be able to log in.
  • @julian This plugin looks great. I'm linking to the forum from within a mobile app, so it will be perfect for user experience.

    I'm having a couple of issues getting it to work though:

    • From the Session Sharing admin page on user search I keep getting 'We were unable to find a remote id belonging to that user'. I assumed this was just the uid? I don't get any results for remote ID search using uids.

    • Running NodeBB in dev mode, I can call the '/debug/session/' endpoint and get a 200 OK response. A document in the sessions collection is created with session value {"cookie":{"originalMaxAge":1209600000,"expires":"2016-05-25T14:36:09.230Z","httpOnly":true,"path":"/"}}' but no testUser is created.

    • I've tried creating a cookie to test in the browser with 'javascript:document.cookie="token=<JWT token>" 'but it doesn't seem to be picked up by the page

    I do have the authentication overridden (hook "action:auth.overrideLogin") with my own system, so I'm hoping that isn't related to this, or likely to cause issues down the line.

    I'm currently running v1.0.2, if that helps.

  • I keep getting 'We were unable to find a remote id belonging to that user'. I assumed this was just the uid? I don't get any results for remote ID search using uids.

    That search would be for putting in a NodeBB ID and finding the "remote id" associated with it. e.g. uid 1 on NodeBB is linked to session share id of 2b54c8d65eaff, so you can search for 1 and get that ID back.

    /debug/session gives you the cookie, but won't create the user until you access the site itself.

    The cookie set via javascript may not be read because the session sharing cookie is http only. That may be why...

  • Thanks @Julian.
    It's all working now!

  • Hey @julian , thanks for this useful plugin.

    Why is username or first and last name required in addition to ID inside the JWT? Is it possible to remove this requirement and only require ID to be contained in the JWT?

    Surely the user's account can be located with just the ID, correct?

  • @biz The username (or firstName/lastName combo) is required only so that if the user isn't found, a user can be created with that information.

  • @julian

    When I remove the requirement for username or full name, the findUser does not find the user, the async.parallel returns:

    { uid: null, mergeUid: null }

    and line 185, the last else clause, would be executed

    I suspect it has to do with lines 159 and 160, but I do not understand the code here, do you have any ideas?

  • @biz Never mind, I had to remove lines 158-161 and 188 and then it works. Thanks a lot for all your work!

  • I dont know how is this auth process works with jwt.
    I have nodebb in forum.example.com and nodejs app in example.com. And reverse proxy with nginx. I have few question:

    -When user logins or signs up which route we should POST method to?
    -Do I need to install npm install jsonwebtoken?
    -Is this JWT Secret key obtained from jwt.io website?
    -How can I save a cookie to user browser?
    -When I achieve all this and users logins with nodebb credentials how can i access to current logged in user info?
    -Do I need to include the user's passwords to Json web token?
    -Do I need to set secret in nodebb admin panel?

    Edit:So I did some googling and what I understand I need to post the user info to some expressjs route on my app and generate the Json web token in backend and use some cookie plugin for nodejs. But my last two question is remain unclear for me.

  • X xaponeis referenced this topic on

Suggested Topics