I’m trying to add a security layer to my Node-Red instance and I would like to know if I can retrieve somehow a property of the dashboard, specifically the name of the tab the user is trying to access, from a middleware function.
I think this is not possible however you can manage to set user@pass to be able to make it usable, for instance I have some switch to restart or shutdown the pi and this won’t work unless you first log a passaword.
I don’t believe that would be possible – but perhaps there’s another approach.
Right now the id from each Editor flow (tab) is used in the url for that flow (e.g.
http://localhost/admin/#flow/8a6e1951.cdbcb8). However, with a small code change I think the url encoded name of the flow could be allowed in the url as well (e.g.
http://localhost/admin/#flow/my+Secure+Flow). @knolleary would you consider a PR to look up the flow by name if it’s not found by id?
The problem with using the internal id in the url is that the id can change. The problem with using the name is that you will have to ensure unique names across all your flows – but at least you can then add certain middleware to url patterns more easily.
@shrickus the question is about accessing dashboard tabs, not editor tabs.
@AtenrevCode the dashboard tabs are all built in the one page. There is not a request to the backend when a user changes tabs in the dashboard. So no, currently there is no way to do per-tab access control.
So it is… can you tell I’ve been working with shuttling node-red urls through an nginx reverse proxy lately?
But I guess I’m still interested in whether you see any value in allowing an alternate form of editor tab urls, containing the name instead of the id.
As Nick says, the dashboard is a Single Page Application (SPA), and so it only renders the portion that corresponds to the page being shown. The only luck I’ve had with managing the page flow is by watching for output from a
ui_control node, which sends a msg every time the page changes.
Although you can’t do actually “security” with it, you can redirect the user back to another page if you detect certain situations (missing context variable, for instance). You can see more examples and some cautions on this discussion thread.