search

julianlam / nodebb-plugin-session-sharing

Allows login sessions from your app to persist in NodeBB
MIT License
88 stars 65 forks source link

Revalidate when unbanned #64

Closed uplift closed 5 years ago

uplift commented 5 years ago

Is there a way to revalidate a session when a user is unbanned but trust otherwise?

I was looking at the changes for 4.30 (https://github.com/julianlam/nodebb-plugin-session-sharing/commit/8fcc9ba6157ab8989ffbdbb6a6927413ef58d53b) and trying to rewrite it slightly to handle part of this so the sessionSharingBan data maintained across pages instead of the first page they visit so the 'login to reply' button can be hidden while a user is banned.

plugin.appendTemplate = (data, callback) => {
    var sessionSharingData = data.req.session.sessionSharing;

    if (sessionSharingData && sessionSharingData.banned) {
       async.waterfall([
           async.apply(user.isBanned, sessionSharingData.uid),
           function (isBanned, next) {
               if (!isBanned) {
                   delete data.req.session.sessionSharing;
                   return next(null, data);
               }

               user.getLatestBanInfo(sessionSharingData.uid, (err, info) => {
                   data.templateData.sessionSharingBan = {
                       ban: info,
                       banned: true,
                   };

                   next(null, data);
               });
            }
        ], callback);

        return;
    }

    setImmediate(callback, null, data);
};

This causes the bootbox modal to show on every page however. Would it be possible to move this logic to the theme and wrap it in some logic just to show once maybe?

Even though the above code now checks if a user is still banned before adding ban data, the session isn't revalidated and login to reply buttons still show. I'm not sure of the best way to go about this?

julianlam commented 5 years ago

If you don't want to check the ban state every time this code runs, you can save stuff into req.session, which persists across loads... which I wager you'd figured out already.

You could add something like sessionSharingData.bannedShown, and if it's already true, then don't show the modal?

uplift commented 5 years ago

That makes sense. Don't know why I didn't think of that myself. What about revalidating the session once unbanned? Currently they have to login again once unbanned to be able to access the forum even though they are already logged in to the Website Account which causes confusion.

julianlam commented 5 years ago

Hi @uplift is this still an issue? If a user is unbanned, then the next time they visit the forum session-sharing should validate their cookie (assuming they still have one), right?

uplift commented 5 years ago

I worked around it by using the appendTemplateData trick in our plugin to check if they are unbanned and setting a flag then do a sessionrefresh/reload to update the page. Not ideal as page reloads. Is there something nicer that could work?

Basically the session needs to revalidate when unbanned.