Since they're global, it doesn't seem to make sense that they're reloaded every time you navigate to a different page. Would save a few reflows if they were persistent like the navbar.

Since 0.7, you can pass a db option to LevelUP to swap out the default LevelDOWN with anything LevelDOWN-API compliant, allowing you to seamlessly (save an npm install) store your data in all of these. It'd be pretty awesome if NodeBB could do that

Ah, I've played around with that too... with a properly decoded JWT, you could theoretically just call req.login and log in the user. But that's implciitly trusting the token itself, so if your secret ever got out, then all accounts are essentially compromised

While browsing the 'net, I found a neat little IETF draft standard called JWT (JSON Web Tokens). Basically, the idea is that instead of having sessions on the server and a cookie to match a HTTP request to one of those sessions, one or more claims (i.e. user ID or admin status) are stored in a JSON object which is then signed by the server. (currently through either HMAC, RSA or ECDSA) The client then stores this in usually either localStorage or sessionStorage and sends it along in an HTTP header with any request requiring authorization. For example: client logs in with username "Example" and password "password" server if user and password match, issue a JWT containing the payload { 'userId': 47 } and send it to the client client stores the JWT in sessionStorage (later) client creates a new topic and sends the JWT along in the Authorization HTTP header server validates the signature in the JWT from the Authorization header with their own secret/key and if it's OK, uses the data from the JWT in the processing of the request (in this case, the userID of 47 is used as creator of the topic) Pros of JWT: The server doesn't need to store sessions! => less load on the server & no shared session store is needed when scaling horizontally as long as all instances share a secret or public/private keypair No cookies => no CSRF! Cons: XSS becomes more dangerous - any malicious script with access to the client's localStorage or sessionStorage for a site can fully impersonate the user until the token expires or is deletes There might be more cons & pros, I am neither good nor experienced enough to fully understand everything ("everything" is a lot though, I do have trouble with way less than that anyway, don't take my words for granted, do your own research, etc. etc. you know the drill ) Some links: General introduction: http://angular-tips.com/blog/2014/05/json-web-tokens-introduction/ Slightly more detailed introduction with INFOGRAPHICS(ish): https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/ Web-based token decoder: http://jwt.io/ Express middleware: https://www.npmjs.com/package/express-jwt

@baris said: If we were to update the list automatically the page would be a total mess on a busy forum as topics would have to move around every time a new post comes in. You do have a point there. However, you could still do it in a Facebook-esque style: Without refreshing: When a reply is made to an existing topic (or a status, on FB) is made, do nothing (or alternatively, only update the reply count & "X posted Y minutes ago" snippet) When a new topic is made, add it to the top of the list When refreshed: List every topic in order of most recent reply (current behaviour)

For some reason socket.example.com/socket.io/1/?t=[a whole bunch of numbers] doesn't set CORS headers half of the time when I start NodeBB, causing any and all WebSocket connections to fail... but I guess that's a socket.io issue, not a NodeBB one.

Considering Redis' clustering is strictly master-slave and doesn't support multi-master, it would be nice to be able to read and write from different Redis instances. A very basic example: reading from the local Redis slave while writing to an external Redis master. Compared to the current situation (reading from and writing to the same Redis instance, which has to be the master because you can't write to slaves), this would result in data being returned faster from the local slave and the load on the remote master would be lowered. Some potential failover situations: Master up, slave(s) down: Read from the Master instead of the slaves Master up, one of many slaves down: Read from the node specified in the config as failover for this one, if not configured read from other slave, if all slaves are down read from master. Master down, slave(s) up: Enter a StackOverflow-esque read-only mode, 503 all requests to the yet-to-be-written Write API.

Actually it doesn't matter which db you choose, the system (as of maybe a month and a bit ago?) will re-install the relevant database packages as soon as you select it in the install steps (as opposed to installing it initially when you do npm install for the first time). So your problem really is, that LevelDB might have some issues installing with CentOS? Have a look here, if it works for you I'd definitely appreciate if you can let me know what you did so that I can add it to the docs

I'm not too sure if we should be adding too much logic in the templates (gets super messy). That said, there is a way for you to accomplish the above, via helpers. JS: templates.registerHelper('iterateFn', function(data, iterator, total) { return (data.someVar && iterator === 3) ? true : false; }); Templates: <!-- BEGIN someLoop --> {function.iterateFn} <!-- END someLoop --> Some real-world examples found here (none using the iterator variable as of yet though)