julianlam
commented
2 years ago Hey, sorry about the delay -- what you've described is not quite right.
All this plugin does is save read cookie saved by other sites on the same domain. So someone logs into app.example.com, they get a cookie that is readable by NodeBB @ forum.example.com.
forum.example.com takes that cookie, decodes it and verifies it via shared secret, and logs the user in if the uid in the payload matches an existing user. Otherwise it will create a new user with the additional data supplied (username, etc.)
Hope that makes sense!
It's not that I'm experienced with NodeBB, Readme.md could be a bit more understandable:
Correct me if I'm wrong but essentially, the other site (not NodeBB) hosted on another subdomain has to validate username and password against NodeBB's forum users database, and if the login is correct the specially crafted cookie with JWT payload should be saved to the parent domain. Or if that exact same database exists elsewhere, it may do login validation wherever it is, but I guess then some database synchronization should be made? Then if NodeBB detects that cookie in payload, it will automatically logon the user in cookie? Asking because I think I may be understood it wrongly - and what I actually need in my case is NodeBB itself emits cookie which will then be inspected on other subdomain just to fetch username that is logged on to NodeBB. So, let's say the app on subdomain should "blindly" believe in cookie emitted by NodeBB. So I kind of need the same functionality but in opposite direction.
Please if someone can clarify and tell me if there's any plugin facilitates behaviour I need.
I see some session cookie is saved by NodeBB (but it's not deleted after logout?), I guess that cookie could be somehow decoded on other subdomain is somehow that cookie is saved to parent domain? Even that would be sufficient for me.
Thanks!