/user/<xyz>/2factor Access Denied?

@julian - Done! Thank you for the quick responses.

In one case, it is a user in the "Global Moderator" group, on which I just turned on enforced 2FA, but the user does not have 2FA set up yet. That user seems to be forced to visit /user/<user1>/2factor no matter what the route is.

Another case is a user not in any group but does have 2FA set up. In this case, user2 can log in, and browse around. Just /user/<user2>/2factor would give an Access Denied.

Hi, I enabled 2 factor authentication on my site. Just now I got "Access Denied" when logged in as a user.

I am running 3.7.2. I get this both as a regular user, or as the site administrator visiting any user's 2factor settings page. Although I can see my own 2factor settings as the site administrator.

Just wonder . . . is this caused by any setting that I may have missed? Has anyone else seen this issue?

I did do a search of "2factor access denied" on this forum before posting this. Any information would be much appreciated.

I see that this site has nodebb-plugin-link-preview version 1.3.2 installed and enabled.

So I did a test here: Test YouTubeLink, but the link is shown as a regular link, not a preview box.

What did I miss?

Thanks for any insights!

@baris Thank you for the quick fix! It works now.

Had a bit of time to try to debug this. I started the up NodeBB in VS Code in a debug session and set break points in Google.init() and Google.getStrategy() functions. The debugger stopped in both. However, in Google.getStrategy() I found both Google.settings.id and Google.settings.secret undefined.

It seems that the async call to meta.settings.get('sso-google', ...) finished after the call to Google.getStrategy(), so even though the the Google ID and secret are loaded fine, they are too late.

I am running NodeBB with a PostgreSQL backend for that matter.

The strange thing is . . . there is no error message.

I tried with logger configured to debug level, this is all I got in the logs/output.log:

Clustering enabled: Spinning up 1 process(es).

2024-01-28T05:04:42.055Z [4567/645445] - info: Initializing NodeBB v3.6.4 https://bbs.9rivers.com
2024-01-28T05:04:43.664Z [4567/645445] - info: [socket.io] Restricting access to origin: https://bbs.9rivers.com:*
2024-01-28T05:04:43.928Z [4567/645445] - info: [api] Adding 0 route(s) to `api/v3/plugins`
2024-01-28T05:04:43.955Z [4567/645445] - info: [router] Routes added
2024-01-28T05:04:43.962Z [4567/645445] - info: 🎉 NodeBB Ready
2024-01-28T05:04:43.964Z [4567/645445] - info: 🤝 Enabling 'trust proxy'
2024-01-28T05:04:43.967Z [4567/645445] - info: 📡 NodeBB is now listening on: 0.0.0.0:4567
2024-01-28T05:04:43.967Z [4567/645445] - info: 🔗 Canonical URL: https://bbs.9rivers.com

Did that. The loginStrategies started as an empty array, and ends an empty array after that statement -- The Google SSO plugin did not fill it.

I'm trying to read the Google.init() function but that doesn't seem to be the one to debug next . . . and I'm getting a sleepy...maybe tomorrow.

Thanks @baris -- Took me a while to get back to this.

I ran https://community.nodebb.org/api/login?pretty=1 in a private window and get a JSON object with this:
alternate_logins: true,
and "authentication" containing 4 objects (the login's I see on the login page.

However, when I did that on my own installation, I got:
alternate_logins: false,
and "authentication" an empty list.

I know I have built and restarted my nodebb installation after installing and activating nodebb-plugin-sso-google . . . what else should I look next??

Thank you!

Yes. I am using the Harmony theme. This is a fresh installation, no custom CSS code is used.

I checked the logs/output.log, there was no error except for 2 warnings:

WARNING: The keyword 'none' must be used as a single argument.
    ../../node_modules/bootstrap/scss/mixins/_box-shadow.scss 10:9   box-shadow()
    ../../node_modules/bootstrap/scss/forms/_form-control.scss 40:7  @import
    bootstrap/scss/_forms.scss 3:9                                   @import
    - 19:9                                                           root stylesheet

WARNING: The keyword 'none' must be used as a single argument.
    ../../node_modules/bootstrap/scss/mixins/_box-shadow.scss 10:9  box-shadow()
    ../../node_modules/bootstrap/scss/forms/_form-select.scss 32:7  @import
    bootstrap/scss/_forms.scss 4:9                                  @import
    - 19:9                                                          root stylesheet

Here is the list of all installed plugins:

$ ./nodebb plugins
Active plugins:
        * [email protected] (installed, disabled)
        * [email protected] (installed, enabled)
        * [email protected] (installed, disabled)
        * [email protected] (installed, enabled)
        * [email protected] (installed, enabled)
        * [email protected] (installed, enabled)
        * [email protected] (installed, enabled)
        * [email protected] (installed, disabled)
        * [email protected] (installed, disabled)
        * [email protected] (installed, enabled)
        * [email protected] (installed, enabled)
        * [email protected] (installed, enabled)
        * [email protected] (installed, disabled)
        * [email protected] (installed, disabled)
        * [email protected] (installed, disabled)
        * [email protected] (installed, enabled)

Again, thank you for the replies.

Thank you for the response.

I expected to see "Sign in with Google" but not the others. Yet I am not seeing the "Alternative Logins" at all.

I don't see any error message with "nodebb log" when I restart it. How do I troubleshoot this?

Happy New YEar!

I just installed NodeBB version 3.6.1 on a Ubuntu server to test nodebb-plugin-sso-google.

I followed the documentation to create a Google oAuth client ID and configured the plugin in NodeBB.

Everything seems to work after I re-built and restarted the app, except that I don't seem to be able to find a way to login using Google.

What did I miss? Thank you in advance for any help / insights . . .

@phenomlab It seems that I may have it fixed.

As I could log in using the old domain, I took out the Session cookie domain setting in the admin section. Then log in using the new domain started to work. Actually, both domains work now.

Earlier I changed that value from the old domain name to the new domain. But that didn't work. Then I saw a tip under the setting box that reads "Leave blank for default". So I made it blank. I assume that the default is the host name in the HTTP request?

I want to think you for your writing. That lead me to the right direction.

@phenomlab Silly me! I was distracted...I edited the post with login errors added. Invalid CSRF is indeed what I got. I'll go read the details you provided. Thank you!

I have been testing NodeBB successfully for a while. Now I want to change its domain name -- I cannot get it to log me in using the new domain.

NodeBB is running behind a Nginx proxy, I believe that I have change all the configurations to refer to the new domain name.

The old domain is bbs.domain1.com. The new domain is domain2.org.

[EDIT]:
When trying to log into the new domain, I get "Login Unsuccessful / We were unable to log you in, likely due to an expired session. Please try again".

On the backend in the NodeBB log, I get this:

2023-09-11T06:10:16.139Z [4567/191235] - error: POST /login
invalid csrf token

The funny thing is, however, I can still log in using the old domain, even after I removed it from the Nginx proxy config, as both domain names resolve to the same server for now.

I tried to remove all session info from the database, restarted NodeBB, etc. all to no avail.
[/EDIT]

Here is the Nginx proxy config:

server {
        server_name     domain2.org;

        # SSL configuration
        #
        listen 443 ssl;
        ssl_certificate /etc/letsencrypt/live/bbs.domain1.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/bbs.domain1.com/privkey.pem; # managed by Certbot


        location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-NginX-Proxy true;
                proxy_set_header Host $http_host:$server_port;
                proxy_pass http://127.0.0.1:4567;
                proxy_cookie_domain domain2.org $host;
                proxy_ssl_session_reuse on;
                proxy_cache_bypass $http_upgrade;
                proxy_redirect off;
                # Socket.IO Support
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
        }
}

The config.json file for NodeBB is:

{
    "url": "https://domain2.org",
    "secret": "###################################",
    "database": "postgres",
    "postgres": {
        "host": "127.0.0.1",
        "port": "5432",
        "username": "nbbuser",
        "password": "############################",
        "database": "nodebb",
        "ssl": "false"
    },
    "bind_address": "127.0.0.1",
    "port": "4567"
}

Any pointers / thoughts / insights would be greatly appreciated!

I am having the exact same problem. I am running version 2.8.6 with a PostgreSQL database. Where do I check for "the entry for confirm:<uuid>"?

Edit: Maybe my issue is slightly different: I checked the new user's account. The email address is actually marked as validated, even after the 404 response.

Thanks!

Thank you all for the responses. This is a wonderful community - Makes me feel much better exploring this new thing.

Wishing you all the best!

@julian : That did it! Thank you much.

Yes. I use nginx -- I should have mentioned that in the original post.

That option was set to proxy_set_header X-Forwarded-Proto http;

@PitaJ - Yes, I have. Tried different browsers, private windows, etc. No luck.

@phenomlab - I think the cookieDomain setting may be what I need. Could you please be more specific? Do I need to clear that setting (as shown in your linked post)? Or set it specifically to my domain? I ask because the current setting seems to be empty (not set to anything.)

Thank you both for your responses.

Fairly new to NodeBB. Just got one site up with PostgreSQL as the backend.

Initially version 1.5.1 was installed which has been upgraded to ver 2.8.2 a few days ago.

It is still running in dev mode, so I only got one user registered from the initial installation. Now I am not able to register any new user.

Every time I try, I get an error message:
Registration Error
We were unable to log you in, likely due to an expired session. Please try again

On the console, I see logs like this:
2023-01-24T06:51:40.275Z [4567/73890] - error: POST /register
invalid csrf token

At this point, I don't know how to proceed. Any help would be greatly appreciated.