I'm going to register a protocol handler, so links to anywhere on the fedi will be opened in the user's home instance. https://developer.mozilla.org/en-US/docs/Web/API/Navigator/registerProtocolHandler Has anyone already done this and if so what was the prefix you used? We might as well all use the same thing. I'm thinking web+fedi.
Do I understand this correctly? Sharp node module >v28 requires x86 CPU v2 Is there a work around ? 2025-09-21T15:41:08.141Z [4567/1536] - error: uncaughtException: Could not load the "sharp" module using the linux-x64 runtime Unsupported CPU: Prebuilt binaries for linux-x64 require v2 microarchitecture Possible solutions: - Ensure optional dependencies can be installed: npm install --include=optional sharp - Ensure your package manager supports multi-platform installation: See https://sharp.pixelplumbing.com/install#cross-platform - Add platform-specific dependencies: npm install --os=linux --cpu=x64 sharp - Consult the installation documentation: See https://sharp.pixelplumbing.com/install Error: Could not load the "sharp" module using the linux-x64 runtime Unsupported CPU: Prebuilt binaries for linux-x64 require v2 microarchitecture Possible solutions: - Ensure optional dependencies can be installed: npm install --include=optional sharp - Ensure your package manager supports multi-platform installation: See https://sharp.pixelplumbing.com/install#cross-platform - Add platform-specific dependencies: npm install --os=linux --cpu=x64 sharp - Consult the installation documentation: See https://sharp.pixelplumbing.com/install at Object.<anonymous> (/var/www/nodebb/node_modules/sharp/lib/sharp.js:121:9) at Module._compile (node:internal/modules/cjs/loader:1706:14) at Object..js (node:internal/modules/cjs/loader:1839:10) at Module.load (node:internal/modules/cjs/loader:1441:32) at Function._load (node:internal/modules/cjs/loader:1263:12) at TracingChannel.traceSync (node:diagnostics_channel:322:14) at wrapModuleLoad (node:internal/modules/cjs/loader:237:24) at Module.require (node:internal/modules/cjs/loader:1463:12) at require (node:internal/modules/helpers:147:16) at Object.<anonymous> (/var/www/nodebb/node_modules/sharp/lib/constructor.js:10:1) {"date":"Sun Sep 21 2025 11:41:08 GMT-0400 (Eastern Daylight Time)","error":{},"exception":true,"os":{"loadavg":[0,0.01,0.08],"uptime":1791.04},"process":{"argv":["/usr/bin/node","/var/www/nodebb/nodebb","info"],"cwd":"/var/www/nodebb","execPath":"/usr/bin/node","gid":0,"memoryUsage":{"arrayBuffers":909521,"external":5381104,"heapTotal":86306816,"heapUsed":57019048,"rss":163835904},"pid":1536,"uid":0,"version":"v22.19.0"},"stack":"Error: Could not load the \"sharp\" module using the linux-x64 runtime\nUnsupported CPU: Prebuilt binaries for linux-x64 require v2 microarchitecture\nPossible solutions:\n- Ensure optional dependencies can be installed:\n npm install --include=optional sharp\n- Ensure your package manager supports multi-platform installation:\n See https://sharp.pixelplumbing.com/install#cross-platform\n- Add platform-specific dependencies:\n npm install --os=linux --cpu=x64 sharp\n- Consult the installation documentation:\n See https://sharp.pixelplumbing.com/install\n at Object.<anonymous> (/var/www/nodebb/node_modules/sharp/lib/sharp.js:121:9)\n at Module._compile (node:internal/modules/cjs/loader:1706:14)\n at Object..js (node:internal/modules/cjs/loader:1839:10)\n at Module.load (node:internal/modules/cjs/loader:1441:32)\n at Function._load (node:internal/modules/cjs/loader:1263:12)\n at TracingChannel.traceSync (node:diagnostics_channel:322:14)\n at wrapModuleLoad (node:internal/modules/cjs/loader:237:24)\n at Module.require (node:internal/modules/cjs/loader:1463:12)\n at require (node:internal/modules/helpers:147:16)\n at Object.<anonymous> (/var/www/nodebb/node_modules/sharp/lib/constructor.js:10:1)","trace":[{"column":9,"file":"/var/www/nodebb/node_modules/sharp/lib/sharp.js","function":null,"line":121,"method":null,"native":false},{"column":14,"file":"node:internal/modules/cjs/loader","function":"Module._compile","line":1706,"method":"_compile","native":false},{"column":10,"file":"node:internal/modules/cjs/loader","function":"Object..js","line":1839,"method":".js","native":false},{"column":32,"file":"node:internal/modules/cjs/loader","function":"Module.load","line":1441,"method":"load","native":false},{"column":12,"file":"node:internal/modules/cjs/loader","function":"Function._load","line":1263,"method":"_load","native":false},{"column":14,"file":"node:diagnostics_channel","function":"TracingChannel.traceSync","line":322,"method":"traceSync","native":false},{"column":24,"file":"node:internal/modules/cjs/loader","function":"wrapModuleLoad","line":237,"method":null,"native":false},{"column":12,"file":"node:internal/modules/cjs/loader","function":"Module.require","line":1463,"method":"require","native":false},{"column":16,"file":"node:internal/modules/helpers","function":"require","line":147,"method":null,"native":false},{"column":1,"file":"/var/www/nodebb/node_modules/sharp/lib/constructor.js","function":null,"line":10,"method":null,"native":false}]} Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Address sizes: 38 bits physical, 48 bits virtual Byte Order: Little Endian CPU(s): 8 On-line CPU(s) list: 0-7 Vendor ID: GenuineIntel BIOS Vendor ID: Intel Model name: Intel(R) Xeon(R) CPU L5420 @ 2.50GHz BIOS Model name: CPU @ 2.5GHz BIOS CPU family: 2 CPU family: 6 Model: 23 Thread(s) per core: 1 Core(s) per socket: 4 Socket(s): 2 Stepping: 10 BogoMIPS: 4999.80 Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good nopl cpuid aperfmperf pni dtes64 monitor ds_cpl est tm2 ssse3 cx16 xtpr pdcm dca sse4_1 xsave lahf_lm pti dtherm
Hi there, today we had the account of an elevated user hijacked. The account was then used to delete tons of data. Now we just rolled back the daily backup and banned the user account for now, but I assume the malicious still has a valid session for login? I did not find anything in the user profile or admin dashboard to force a user logout on all session. I'd like to unban the user after a password reset, but for that I would need to know when the account is "safe" to be used again (aka all logged in session expired or revoked)?
Utilities such as serpstat.com see the URLs example.com/topic/42/mytitle/1 and example.com/topic/42/mytitle/3 as two different pages with duplicate title meta tags. Is it possible to fix this without blocking all posts in the thread except the first one in robots.txt? How to get rid of this "ghosting duplication" Asking you guys here, because Google says title duplication is harmful for SEO.
odd authenticate failure message when i tried to clone a mongo db to a new name. used ubuntu22.04 and a current version of nodebb. sudo mongodump -d old-db -o /test/old-db/ this was supposed to do a backup into /test. sudo mongorestore -d new-db /test/old-db/old-db this was supposed to make a new mongo db named new-db using old-db. got nice stats on documents copied. message of 0 documents not copied. used mongosh/ show dbs and it listed 'new-db'. verified that config.json had new-db vs old-db. but when i try to start nodebb for this, does not start. error log says failed authentication. stumped on what to do. i did foo to mongosh and use admin/ db.auth. got success.
trying to move my db to another server. using mongo. worked like a charm using mongodump/ mongorestore. however, none of the icons and attachments and uploaded things came over. mongo said all the documents were there. sooooo. how do i get the uploaded things and icons over. im using ubuntu 22.04 are the uploads/ icons stored in mongo. or an external dicrectory somewhere?
Hi community, I’m using AWS Cognito for authentication (sign up and login) across my project, and all user management is centralized there. Now I want to integrate NodeBB, but I do not want to use NodeBB’s UI for login/registration. Instead, I want to: Continue using AWS Cognito for user registration and login. Expose a common backend service (API) that my other modules (and NodeBB) can use for authentication. Use only the NodeBB APIs (not the UI) to handle sessions, topics, posts, etc. I’m a bit unsure about the correct approach here: Can NodeBB rely fully on Cognito for authentication while I interact with NodeBB only through its APIs? How should I map Cognito users to NodeBB users (e.g., using Cognito’s sub as the NodeBB uid)? Should I use the session-sharing plugin, or is it better to build a custom integration for Cognito? What’s the recommended way to keep NodeBB users in sync with Cognito users if I bypass the UI? Has anyone implemented this kind of API-only integration with Cognito and NodeBB? Any best practices or guidance would be much appreciated. Thanks!
Apologies in advance if I misrepresented anybody or missed any crucial bits of information. Jesse Karmani (@[email protected]), Ted Thibodeau Jr. (@[email protected], and Julian Lam (@[email protected]) in attendance Julian provided an update on adoption of FEP 7888 Both Piefed and Lemmy have adopted 7888, and will begin publishing resolvable context collections in their next release Jesse opened a PR to Mastodon, which received preliminary approval from @[email protected] (ed. it was later merged, rolled back, updated, a new PR opened, which was then merged) This PR is the first of two planned pull requests. The first generates the outgoing context (the same as what Lemmy/Piefed have done recently) The seconds handles incoming contexts and backfills Jesse was asked whether it would conflict with existing reply-tree crawling methods, but the two are complementary. She expects additional discussion before the PR is opened. Julian noted that it would be helpful if statistics/analytics were gathered by the Mastodon team to see how conversation contexts and backfill works at scale; admits that existing implementations and testing has been small scale and may not reflect real-world usage. Julian noted that Lemmy's implementation (@[email protected]) does not paginate their resolvable context implementation. All objects are listed in one OrderedCollection Jesse noted that she followed Mastodon's pagination convention for collections. Context inheritance Julian asked for opinions on whether contexts were inherited in existing implementations. Notes that NodeBB inherits parent context, but checks further up the known parent chain for further contexts Julian admits that not everybody can and should do this, is also not sure anymore whether NodeBB actually does this. Julian notes the ideal implementation would be every object referencing their immediate parent, which would lead to the entire collection referring to the same context collection. Jesse: Decodon inherits immediate parent context only Ted: notes that this is a reinvention of inReplyTo Julian and Jesse note that there are marked differences between crawling the reply chain. A short discussion about how netnews and usenet handled reply chains was had. Julian notes that Lemmy will not inherit context. Every object will point back to its own server's context collection. This was a conscious decision by Nutomic as each instance is meant to consider its own representation of remote content as the canonical representation ActivityPub.Space Julian made a short shout-out to a new site called ActivityPub.Space, meant to be a hub for AP development discussions ("A federated space for ActivityPub discussions so that they don’t just get lost in ephemeral replies") A short double-back to NNTP and how they approach "eventual consistency" Ted: “Cloud of NNTP servers are all hosts of articles and replies.” Strictly speaking it’s not a reply tree as replies can be inReplyTo multiple parents
Hi, I have a question regarding the express.sid cookie: After login, the express.sid is generated and stored in the cookies. I tried using this session ID to fetch the CSRF token by calling /api/config, but it doesn’t seem to work for me. My goal is: Successfully retrieve a valid CSRF token. Use it to create topics or posts via the Write API. Ensure that once I have this token and session, I can access all the required NodeBB APIs. Could you please clarify the correct approach to: Retrieve and use the CSRF token with the express.sid? Authenticate API requests (like creating topics or posts) when using Keycloak for login instead of NodeBB’s built-in login? Any guidance or best practices for this integration would be greatly appreciated. app.post('/api/login', async (req, res) => { try { const { username, password } = req.body || {} if (!username || !password) { return res.status(400).json({ error: 'Missing username or password' }) } // 1) Login against Keycloak (Direct Access Grant) const tokenResponse = await fetchKeycloakTokens({ username, password }); // 2) Get user profile to build NodeBB payload const userinfo = await fetchUserInfo({ accessToken: tokenResponse.access_token }); // 3) Build session-sharing JWT for NodeBB // Minimal fields: id (unique), username, email const nodebbPayload = { id: userinfo.sub || userinfo.preferred_username || username, username: userinfo.preferred_username || username, email: userinfo.email || undefined, fullname: userinfo.name || undefined, }; if (!SESSION_SHARING_JWT_SECRET) { return res.status(500).json({ error: 'Server not configured: SESSION_SHARING_JWT_SECRET missing' }); } const signed = await jwt.sign(nodebbPayload, SESSION_SHARING_JWT_SECRET, { expiresIn: '1h' }); const loginRes = await axios.post('http://localhost:4567/api/v3/utilities/login', { username, password }, { headers: { "Content-Type": "application/json", "Authorization": `Bearer ${signed}`, // pass your Bearer token here }, withCredentials: true }); console.log(loginRes, "LOGIN RESPONSE"); // 4) Set cookie for NodeBB domain so it can pick it up const response = await axios.get('http://192.168.60.108:4567/api/config', { withCredentials: true }); const newToken = response?.data?.csrf_token; const cookieOptions = { httpOnly: true, secure: false, sameSite: 'none', path: '/', maxAge: 8 * 60 * 60 * 10000, domain: '192.168.60.108' } res.cookie("token", signed, cookieOptions); res.cookie('csrf_token', newToken, cookieOptions); return res.json({ success: true, message: "login successfully", redirect: NODEBB_BASE_URL, keycloakAccessToken: tokenResponse.access_token }); } catch (err) { // eslint-disable-next-line no-console console.error('Login error:', err?.response?.data || err?.message || err); const status = err?.response?.status || 500 const message = err?.response?.data?.error_description || err?.response?.data?.error || err?.message || 'Unexpected error'; return res.status(status).json({ success: false, error: message }); } }); In the /api/login API, I called the /api/config API, but when I check the /api/config API in Postman using the express.sid generated after login, it never returns the response for that specific user. Thanks in advance!
We've got SpamBeGone enabled, with Akismet, Project Honeypot, and reCAPTCHA; and we only allow SSO login. But recently, there's been a huge spate of sneaky spam posts where they just reply, then edit the @-mention URL to some external site -- or, even more sneaky, they leave the @ and the first few characters as the original @-mention link, but the last few characters of the username are really a link somewhere else; similar for the in [Name of This Topic](/post/####), it gets changed to in [Name of This Top](/post/####)[ic](link-to-external-site) Sometimes they are "kind" enough to not post any text, so it's just got the quoted text, so while I'm reading posts, I can at least use that to clue me in to check for hidden links and then moderate/delete/ban. But if they combine it with a ChatGPT-style reply, they can often sneak past the radar. Akismet, despite stopping many perfectly-reasonable posts, does nothing on those kinds of posts. So does anyone else have ideas on how to combat/prevent those kinds of spam posts? Or is there a setting or plugin that allows restricting which external sites can be linked to? (Like "allow links to google or our homepage or a few other sites, but not links to any random site") Or a way to get it to flag links that are external vs internal, so it's obvious all the links that go outside our forum?
Hi, I am creating a website for e-learning purposes on the MEAN.JS stack and want to add NodeBB as the community part. But as NodeBB has its own authentication system and so does my website, is there a way to sync the two. I don't want to keep the NodeBB login/register system but only of my website and users logged into my website should be loggedin to NodeBB as well. I have been going through the NodeBB code and haven't been able to figure it out. Can anyone help me with this please. My questions are Is it possible to make NodeBB sync with my auth system? if so, then how can I go about with it, without modifying much of NodeBB? Thank you
Hello! I've set up a new forum myself using NodeBB and I have an issue with uploads, I've enabled private attachments and my users experience missing images/attachments from time to time. If they access the file directly they get "not-allowed", but I can see the file in the ACP upload manager. I have a regular user where I test out stuff and it's happening to that user as well, so far my only hint (but I am not 100% sure) is that this starts happening after editing a post, It doesn't seem to happen to my user due to caches (I guess!). I have tried to search if someone else experienced the same but couldn't find anything.
Copyright © 2025 NodeBB | Contributors