General OpenID login plugin development

@julian thanks. I've fixed the csrf issue.

another issue appeared

I hook the form page on the route /auth/openid_form with action posting to /auth/openid
also I add the strategy with route /auth/openid

If I fill the form on /auth/openid_form, it POSTs to /auth/openid, but it returns 302 and redirects to /404 and logs warn: Route requested but not found: /auth/openid

I've also tested my OpenID provider with passport-openid example from https://github.com/jaredhanson/passport-openid/tree/master/examples/signon to ensure it is not in provider or my understanding of passport-openid. So it must be my misunderstanding of express and nodebb

I'm very confused

See library.js - http://pastebin.com/HX0MNbmM
and hooks:

  "hooks": [
    {
      "hook": "filter:auth.init", "method": "getStrategy", "callbacked": false
    },
    {
      "hook": "filter:server.create_routes", "method": "addOpenIDLoginRoute", "callbacked": true
    }

Or here is my whole source code of nodebb-plugin-openid
(please, It's development prototype. First I'm aiming for working prototype and then I'll revise it to publish it properly)

I'm trying to create an OpenID auth login and I need help.

According to other SSOs and auth plugins there is a difference that there is no need for admin page with api/app key but before going to /auth/openid there is a form required to specify an OpenID identifier (url) so it POSTs to /auth/openid with open_identifier variable set, which might be different for every user.

I've tried to create an '/auth/openid_form' route and add there a static page with a form (hooked to filter:server.create_routes)

where the form is:

<form action="/auth/openid" method="post">
    <div>
        <label>OpenID identifier:</label>
        <input type="text" name="openid_identifier" size="40" /><br/>
    </div>
    <div>
        <input type="submit" value="Sign In"/>
    </div>
</form>

I can display the form by browsing to /auth/openid_form but when I enter anything I get Error: Forbidden:

Error: Forbidden
    at Object.exports.error (/home/nodebb/www/nodebb/node_modules/express/node_modules/connect/lib/utils.js:60:13)
    at Object.handle (/home/nodebb/www/nodebb/node_modules/express/node_modules/connect/lib/middleware/csrf.js:54:41)
    at next (/home/nodebb/www/nodebb/node_modules/express/node_modules/connect/lib/proto.js:190:15)
    at next (/home/nodebb/www/nodebb/node_modules/express/node_modules/connect/lib/middleware/session.js:313:9)
    at /home/nodebb/www/nodebb/node_modules/express/node_modules/connect/lib/middleware/session.js:337:9
    at /home/nodebb/www/nodebb/node_modules/connect-mongo/lib/connect-mongo.js:220:17
    at /home/nodebb/www/nodebb/node_modules/mongodb/lib/mongodb/collection/query.js:147:5
    at Cursor.nextObject (/home/nodebb/www/nodebb/node_modules/mongodb/lib/mongodb/cursor.js:733:5)
    at commandHandler (/home/nodebb/www/nodebb/node_modules/mongodb/lib/mongodb/cursor.js:713:14)
    at /home/nodebb/www/nodebb/node_modules/mongodb/lib/mongodb/db.js:1806:9

If I do not fill anything as open_identifier /auth/openid just responds 'Unauthorized' which seems ok to me.

I am not sure if this is CSRF issue with recent changes in express/connect or if I am doing something wrong.

Actually, there is another thing... how to add this form into a strategy so it is asked before using passport.auth? I mean, if I push strategy with URL /auth/openid it works fine but I need the link for OpenID login to go to /auth/openid_form first and not call passport.auth on this route and call passport.auth later on /auth/openid

Tips or any heads up?

@planner well, I have a kind of progressive "liberal" or "anarchistic" community where this feature is required. No global or category moderators but only OP has privileges and responsibility for cleaning mess in his own topic and keeping the topic as he wants, because it is his topic

I can imagine why this is a bad idea for most of the communities but my community hates centralized power and wants that power to be decentralized as much as possible

Sure there is admin still able to do anything but it would be used only in very rare cases, where not moderation might cause legal issues (anonymizing unauthorized publication of personal information or law enforcment organizations' requests for content removal)

I see I can configure moderators for a category.
Would it be difficult to implement feature that OP is automatically a moderator of his own topic?
If it is not that difficult, please give me tips how would you implement it so I can try to implement this according to your point of view, so the final plugin or pull request is easier to be accepted if such a feature is wanted.