Duplicate users created in NodeBB

[danstaak]

I'm experiencing an intermittent issue with this plugin where duplicate users are being created in NodeBB.

I have seen an instance where a user had 4/5 duplicate profiles created.

Sometimes the usernames are exactly the same, sometimes they are appended with '0'

I have a Node.js web app running for 'frontend' logic, routes view etc. I am using a Node.js Proxy (http-proxy-middleware) to get the forum to show on the same domain as the 'frontend webapp'.

A user has a profile created on the frontend of the website, with a single-sign-on cookie created and sent to the user (cookie contains their profile information).

Code example of creating the SSO cookie:

let user = {
  username: 'john smith',
  picture: 'https://image.com'
  ...
}

let token = JWT.sign(user, JWTSECRET);

res.cookie(COOKIENAME, token, {
  maxAge: 3600000, // 1 hour
  secure: true,
  httpOnly: true
});

I've looked at the payload for the duplicate user entries and they are exactly the same (bar uid, joindate and lastonline).

Out of the last 12 signups, 1 of them is a duplicate - so it's not something that is happening all the time.

Possibly related to https://github.com/NodeBB/NodeBB/issues/6048

[julianlam]

Are all the duplicate accounts created at the same time?

Can you reproduce in a vanilla install of NodeBB+session sharing?

[danstaak]

@julianlam Thanks for your quick reply!

The timestamps are slightly different — see below (I've omitted everything from the objects which was exactly the same between the two profiles):

{
    "uid": 261,
    "joindate": 1560119281212,
    "lastonline": 1560119281212,
    "profileviews": 0,
}

{
    "uid": 262,
    "joindate": 1560119281807,
    "lastonline": 1560119603175,
    "rss_token": "60ac11cb-ea81-44a9-a058-c17841123c6b",
    "profileviews": 1,
}

I'll try and replicate in a vanilla install of NodeBB+session sharing.

[danstaak]

I managed to replicate the error locally with the following steps:

• Assign user information & sign a cookie (as per first post code snippet)
• Load the URL for the forum (in chrome browser)
• Stop the request (in chrome browser, x icon in toolbar which replaces reload icon)
• Load the URL for the forum again (in chrome browser)
• Stop the request (in chrome browser, x icon in toolbar which replaces reload icon)
• Load the URL for the forum again (in chrome browser)
• Navigate to '/users/' page
• Multiple users have been created, some with the exact same username, others with a digit appended (e.g 0)

[julianlam]

@danstaak That's really weird, as the session sharing token isn't susceptible to replay (well, only in the sense, that using the same token logs you in instead of registering a new user).

Are you stopping and refreshing in quick succession? Definitely doesn't seem right. Hopefully I can reproduce.

[julianlam]

What is the base name in the session-sharing plugin settings? Check that base name's set in the database, e.g. appId:uid, what do you see?

[danstaak]

@julianlam It is a strange one!

Are you stopping and refreshing in quick succession? Definitely doesn't seem right. Hopefully I can reproduce.

I was stopping and starting it quite quickly

What is the base name in the session-sharing plugin settings? Check that base name's set in the database, e.g. appId:uid, what do you see?

The field in the plugin settings is blank/empty. Should this be set to something?

[julianlam]

If the field is empty, then the default is appId. What is the result of zrange appId:uid 0 -1 WITHSCORES?

In mongo, that'd be db.objects.get({ _key: "appId:uid" }).pretty();

[danstaak]

NodeBB is running off of postgres so if I've used the right query

SELECT COUNT(*) as count FROM "public"."legacy_object" WHERE "_key"::TEXT LIKE '%appId:uid%';

I get the following:

_key	type	expireAt
appId:uid	zset

But I'm not sure if that's the right query?

[danstaak]

I've also been able to replicate the problem in more of a 'real-life' user scenario, rather than a developer really trying to break it as described above.

Here's how:

• Assign user information & sign a cookie (as per first post code snippet)
• Repeatedly click on the link to the forum (without stopping the requests)
  • If the forum is slow to load it could cause the user to click on the forum link several times, hence the duplicate user profiles being generated

[danstaak]

Hey @julianlam, Do you have any ideas on how I might be able to resolve this?

[julianlam]

Not at present, because I am unable to reproduce it in any meaningful manner.

The only way this would happen is if the initial request comes and creates a user, and then before the user is properly created, another request (from the same user) comes in and kickstarts the user creation process again.

I could add a sort of "in-process" cache and maybe handle repeat requests...

[uplift]

FYI: I've seen this in our system too but was never able to replicate it and was very intermittent.

[chocolatkey]

Hello, we run a forum at https://forums.j-novel.club/ that uses this plugin for session sharing with the main site. After our upgrade to NodeBB 2.0.0 (from a version a few behind) we are now experiencing this issue, and it is happening pretty often. Duplicate users are being created despite the session token explicitly specifying their forum account ID, username, and email for an existing account. I am happy to provide any more information that is necessary to solve this issue.