Using PHP sessions with nodebb?

Joel Murphy

I'm a huge fan of nodebb, but there's one thing that's preventing me from making the switch from my existing forum software right now - the fact that you need separate login credentials just to use a forum.

Seen as like 80% of websites are written in PHP, it would be really nice if there was a way to share sessions from PHP to nodejs so that you can just navigate from domain.com to domain.com/forum without the entire nodebb forum software feeling sandboxed from the rest of a website.

Is this something someone has looked into? If so, could they provide any help as to how other developers could implement this sort of functionality within their websites?

Thanks

julian

Hey @joel-murphy! Welcome to NodeBB

We enable single sign-on through third-party plugins. Right now, we support Facebook, Twitter, Gooogle, Steam, and Auth0. Theoretically, plugins can be created that can support any of these providers.

A SSO plugin is a better solution that sharing of sessions.

pwFoo

Some people don't like 3rd party logins. So a API to share session / login via PHP would be great
I need such a solution too.

zackiles

PwFoo, your use case is no different than any other multi-application integration. Any site would have to deal with shared user sessions. This is not PHP though, this is Node/Express, and there is no PHP session ("login") for you to share.

The way I went about doing what you want, is exporting all wordpress users, importing them into nodebb with a custom nodebb-plguin, and also creating a custom login endpoint in my plugin that not only sets the current nodebb session, but sets an additional header to create the wordpress session cookie for the global domain. Wordpress sits on blog.mysite.com and nodebb at forum.mysite.com. That extra cookie is than shared. You could then set the PHP session by doing something useful with that cookie. In my case, both NODEBB and other apps on my site share the same custom session storage with MongoDB. One app can read the cookie that nodebb uses, and open the same session over Mongo, thereby sharing user data/state accross applications.

pwFoo

I know nodejs won't use php sessions because it doesn't use php...
With a php based forum it would be simple to share the forum users / logins with the main site.

During main site login I use the forum api to validate user credentials. If api returns a sucessful login also the cms user will be logged in (and the password set to the validated value from the sucessful login).
If no cms user exists but the forum login was sucessful, a new user will be added in the background).

Same behavior during register (create forum user, will be synced during first login or after added sucessful to the forum...) / logout (execute cms and forum logout in the background).

But if nodebb used as forum software I need a api to call from my php login module to validate users and logins...

zackiles

@pwFoo I'm not sure I understand which forum was which in your reply. I think what you're asking is there is an API call in nodebb to validate a user, which there is, @ /api/login. It taks a POST with username/password/_csrf as the body variables (in json). If you're doing this cross site though, you'll need to accomplish the task of generating a csrf token. You can do this by making a GET to /api/login, which gives you a csrf token, make sure to then send the following login POST using that csrf token + the express_sid session cookie (session is tied to csrf token).

Hope that makes sense, or helps you at all. You could created a nodebb plguin that uses some express midlleware that would accomplish all of the above seamlessly. It's best to do in in the plugin where you can customize CORS and other settings on your endpoints for cross domain use.

pwFoo

Hello @zackiles ,
sounds like the feature I'm searching for. Thanks for that hint.

Is there a example code how to use the api login?
I worry that I can't write the needed plugin myself, because I have no experience with nodejs / express...

julian

The best advice (in my opinion) is still to maintain a set of OAuth endpoints on the PHP server so NodeBB can authorize users via the sso-oauth plugin...

pwFoo

Hi @julian, maybe you're right, but I know some people and friends, who won't use a external login service like oauth, google or fb. So I would prefer an direct auth method between (php) cms and nodebb.
Optional a oauth login sure is a nice feature, but I think it shouldn't be the default login method.

zackiles

This post is deleted!

julian

@pwFoo said:

So I would prefer an direct auth method between (php) cms and nodebb.

The OAuth plugin method is actually a direct login method, unless I am not understanding what you are trying to say.

OAuth is a login mechanism, which allows you to enable third-party applications to handle logins through the same username/password mechanism you have running at the moment.

For example, check out the new "Log in via NodeBB.org" button in the login page of this site. It leads to a standalone login page, and utilises OAuth2.

pwFoo

Ok, I have to take a closer look at it. Maybe I'm wrong...

spleen

@julian Hi, one quick question related to the topic: I am trying to setup a forum with NodeBB and would like to use Auth0, do you provide a plugin for that?
if not, how could I implement it?

Thank you

stefan

@zackiles I just happend to have had a similar problem. I just wanted to know whether a user is logged in to nodeBB. i tried the approach you outlined, but it failed because the token didn't match. I was able to get it to work though by using a token parsed from /login/ instead. POSTing this token along w/ username/password did the trick.

KingCat

I'm actually dealing with this right now. I went through the trouble of creating an oauth2 api server and customized the nodebb-plugin-sso-oauth plugin to work with it. However, this is quite a bit of overkill just to have my site users authenticated with the forum. Both the forum and the main site sit on the same server, there's no reason nodebb couldn't authenticate against the same database or share the session.

The points raised here about using the API to authenticate with nodebb simultaneously while logging into the main site are intriguing and will require additional research.

Ideally I'd like to have my users visit the forum page and seamlessly be logged in without any additional clicks or page visits on their part. I don't see the need for an intermediary "Do you authorize this site?" page.

Also, and this is to the devs. It's a little disheartening to see you say "use oauth" every time someone has a question about application integration. OAuth is extremely complex and is like using a flamethrower to light your blunt. It shouldn't have to be that hard, especially if the only authentication integration the site owner is doing is with this forum. Why should I have to create an entire additional API system just to support single sign on? This is not a service I'm providing to my users for other sites. It's not like they're going to visit some other page and try to login with credentials from my site. I'm not twitter/facebook/google, etc.

There's got to be a better way.

julian

@KingCat said:

Also, and this is to the devs. It's a little disheartening to see you say "use oauth" every time someone has a question about application integration. OAuth is extremely complex and is like using a flamethrower to light your blunt. It shouldn't have to be that hard, especially if the only authentication integration the site owner is doing is with this forum.

Thanks for your thoughts on the matter. It's definitely given me something to think about, and we're not tied directly to any one method, per se.

Depending on what you're looking for, there are different strategies that you can utilise to accomplish your task.

Share credentials with another site? Use OAuth2, mostly because it is standardised. The alternative is to have other people build their own integrations with a standardised NodeBB SSO interface, but I feel that this is unnecessarily self-indulgent, especially when OAuth2 is a secure and well-tested system.

Check login credentials on another site via API call? You can build a plugin that attaches a listener to action:auth.overrideLogin. Then you can do whatever you want and log the user in if the provided username/password matches. (For example, you could use this hook to check creds on an SQL database)

jarey

@KingCat said:

I'm actually dealing with this right now. I went through the trouble of creating an oauth2 api server and customized the nodebb-plugin-sso-oauth plugin to work with it. However, this is quite a bit of overkill just to have my site users authenticated with the forum. Both the forum and the main site sit on the same server, there's no reason nodebb couldn't authenticate against the same database or share the session.

The points raised here about using the API to authenticate with nodebb simultaneously while logging into the main site are intriguing and will require additional research.

** Ideally I'd like to have my users visit the forum page and seamlessly be logged in without any additional clicks or page visits on their part. I don't see the need for an intermediary "Do you authorize this site?" page.**

Also, and this is to the devs. It's a little disheartening to see you say "use oauth" every time someone has a question about application integration. OAuth is extremely complex and is like using a flamethrower to light your blunt. It shouldn't have to be that hard, especially if the only authentication integration the site owner is doing is with this forum. Why should I have to create an entire additional API system just to support single sign on? This is not a service I'm providing to my users for other sites. It's not like they're going to visit some other page and try to login with credentials from my site. I'm not twitter/facebook/google, etc.

There's got to be a better way.

For me this is the key point. It would be great if the forum feels like the actual site. One login -> site + forum access.

I'm expecting to have some time to test the oauth2 approach to integrate Nodebb with wordpress site, but i'm concerning if this approach is transparent for the user at the time on login at the forum, because i don't really like an intermediary page in order to log in to the forum. As i said it would be great to have a solution to integrate it, with 1 login and feel like the forum is part of the site.

One example of what i'm trying to say can be seen on the QT site. You sign in to the site, but if you go to the forums, you have to log in again, using the Oauth approach.
It would be great it this could be simplified, to make only 1 login for both.

KingCat

@José-Ángel-Rey-Liñares The upside to using oauth is the user should only need to see the intermediary page once. Once they authorize it should be instant from that point forward unless they clear their browser cookies.

KingCat

@julian said:

Check login credentials on another site via API call? You can build a plugin that attaches a listener to action:auth.overrideLogin. Then you can do whatever you want and log the user in if the provided username/password matches. (For example, you could use this hook to check creds on an SQL database)

This is amazing and exactly what I was looking for. I'm going to hit this hard and try to make something that works. Thanks a lot!

jarey

IS there any Nodebb API call to logout? In order to call it from the external site when login out, to log out from both at once?
I dont know if i'm asking something stupid

@KingCat thanks for the clarification.