You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Because this plugin - and everything based on it - is just using User.create, they're bypassing registration queue completely. This means that unless all SSO plugins are disabled, registration queue is almost useless (experienced this myself with a wave of spam accounts using google and discord sso to bypass the queue set in place specifically because these accounts started appearing).
Unfortunately, due to the way registration queue is implemented in NodeBB, there isn't really a good way to "just add the queue" without modifying how it works. Some ideas:
Disable registration completely when queue is enabled (probably the simplest "solution", however it's pretty obvious that it's far from perfect)
If queue is enabled and user is queued, save their username/email somewhere alongside oAuth data and create a function using hook action:user.create that will check if any new user matches the saved data and if there is a match - get the uid and process the user like with normal oAuth registration
If User.shouldQueueUser is true, show the user an error stating that registrations when queue is enabled are not supported or something (and obviously abort the registration attempt)
Actually change the way registration queue works in NodeBB - perhaps it could always assign uids that will be used after acceptation or discarded on rejection of the user? Then this SSO plugins could just use User.addToApprovalQueue instead of User.create if User.shouldQueueUser is true and the problem would be solved.
Btw. I haven't tested it yet, but it seems like there also isn't anything stopping people from registering when invitation-only mode is enabled. The buttons on login page can also register a new user, so even a lack of /register route doesn't help.
The text was updated successfully, but these errors were encountered:
Because this plugin - and everything based on it - is just using
User.create, they're bypassing registration queue completely. This means that unless all SSO plugins are disabled, registration queue is almost useless (experienced this myself with a wave of spam accounts using google and discord sso to bypass the queue set in place specifically because these accounts started appearing).Unfortunately, due to the way registration queue is implemented in NodeBB, there isn't really a good way to "just add the queue" without modifying how it works. Some ideas:
action:user.createthat will check if any new user matches the saved data and if there is a match - get the uid and process the user like with normal oAuth registrationUser.shouldQueueUseris true, show the user an error stating that registrations when queue is enabled are not supported or something (and obviously abort the registration attempt)User.addToApprovalQueueinstead ofUser.createifUser.shouldQueueUseris true and the problem would be solved.Btw. I haven't tested it yet, but it seems like there also isn't anything stopping people from registering when invitation-only mode is enabled. The buttons on login page can also register a new user, so even a lack of
/registerroute doesn't help.The text was updated successfully, but these errors were encountered: