AdminAuth disconnects every few minutes

Hi all,
We've recently started using AdminAuth in settings.js to secure our flows. We're using node-red through a docker container, running on Portainer.

I've noticed that every time I login into a node-red flow, it disconnects after a few minutes and I get "You must be logged in to deploy changes" or "Deploy failed: Not authorized". Sometimes it happens only once and then it doesn't happen again, but sometimes it happens repeatedly.
It happens so quickly that I'm always still on the flow itself, working on it (the computer never shuts down or enters sleeping mode) and then my changes are lost.
Also, sometimes the login takes a very long time that it times out.

Do you have any idea how to fix it? Is it a known problem?

Thanks in advance

I suspect your image is crashing and restarting. Check logs for clues.

I don't think it crashes, because I also take the flow from git, and if it crashed it would have asked me to pull the flow again (the flow would be restarted).
I also looked at the logs and it doesn't say anything like "flow started" in between these disconnections.

I asked other people who are also using the same docker server and sometimes the same node-red flows, and they said they didn't experience that sort of thing.

The credentials are the the same LDAP credentials for the portainer the containers are hosted on, and it stays connected the entire time, even when node red "disconnects".

I hope that's some more information that helps, maybe there's some other solution?

Thanks!

Are you running multiple instances of the same container?

One thing you could try is to turn on audit-level logging (set audit to true in the logging section of settings.js).

You'll then get more logging related to access to the admin API. Using that, watch what log messages you get starting from when you login to when you next get the error.

No, they're all running on one instance only.
I will try that and update.
Thanks!

I tried updating the "audit" key to true in settings.js and restarted the flow, but for some reason it didn't give any more details regarding the authentication process.

As you can see here, it shows I'm logged in, but when checking inside the console it says I'm not (also when trying to hit deploy, it says I'm unauthorized - it logged me off)

and these are the logs, which for some reason didn't auto-refresh:

Thanks in advance
image

The audit logs will appear in the runtime log, not the editor. The log output you've shared shows no audit log output.

Where can I find it?
The containers are hosted on a docker swarm server that I don't have direct access to (or at least not sudo access)

You shared a screenshot of the node-red log in your previous post.... that's the log that should contain the audit logs.

Hi,
Did you mean the dev tools debugger?
If so, then this is what I get:

image

No, I meant the other screenshot you shared - that started Welcome to Node-RED

Any help? please

What browser are you using?

Can you grab a copy of /data/.sessions.json (or maybe .session.json I can't remember without checking):

  • before you login
  • immediately after you login
  • after you get the next unauthorized request.

Compare them - you should see a new entry appear after the initial login. Does the file change at all after that?

Hey, sorry it took me some time to reply.
I just tested it - there's a new entry after loggin in, but then it doesn't change once I'm disconnected.

Before logging in:

{
    "d1vc3KVhR8p55Yntv3adviZVlcCxTE3VJ1dcmPjwP/BNh/7NLG/rEA1ex8z4qAa36PJenOJOBJXRHNG0dD8pg+j3tI2rmZHe+jqv+cnRYil8E8Ra8G2+chOcRDddY//YA73uNA5PF6BRcryM4feJOMUZZeT+43lQF0msim3IRsg=": {
        "user": "efrat.h",
        "client": "node-red-editor",
        "scope": "*",
        "accessToken": "some-access-token",
        "expires": 1620297327694
    },
    "P/d8EE1Dx1BrSfRVg7sBb8U/Z/4cHDy3nCcLZpjchGpGJ/G1EvkWI0XM4xJwXbB/P1c3E2avVoPbJFd2fzi/OEB2DMXPLbe5MT0wgG4oc5+IuYepRRRghOJE/qQBpWXhyZBznp4bi5uyi7oud1GjqkSRuJjqOzgdGBMv7h+PdUc=": {
        "user": "efrat.h",
        "client": "node-red-editor",
        "scope": "*",
        "accessToken": "some-access-token",
        "expires": 1620299518434
    },
    "vDJh8edGuBFaX5oLtC2PySVNUerX3PATeU1Ete2dGPt6VQzw48dK+NrGd+kfSL9gq8rO8RpKATz9N7NaebTI3RFv13e8AuZzvvH6UCx0Ar2J0A2DwpDMiM6vIQINOoe4vhfMOe+5g5+GGhNZk57zkIXeGhSa9dbiztendIYtQWE=": {
        "user": "efrat.h",
        "client": "node-red-editor",
        "scope": "*",
        "accessToken": "some-access-token",
        "expires": 1620300136561
    }
}

After logging in and also after getting disconnected:

{
    "d1vc3KVhR8p55Yntv3adviZVlcCxTE3VJ1dcmPjwP/BNh/7NLG/rEA1ex8z4qAa36PJenOJOBJXRHNG0dD8pg+j3tI2rmZHe+jqv+cnRYil8E8Ra8G2+chOcRDddY//YA73uNA5PF6BRcryM4feJOMUZZeT+43lQF0msim3IRsg=": {
        "user": "efrat.h",
        "client": "node-red-editor",
        "scope": "*",
        "accessToken": "some-access-token",
        "expires": 1620297327694
    },
    "P/d8EE1Dx1BrSfRVg7sBb8U/Z/4cHDy3nCcLZpjchGpGJ/G1EvkWI0XM4xJwXbB/P1c3E2avVoPbJFd2fzi/OEB2DMXPLbe5MT0wgG4oc5+IuYepRRRghOJE/qQBpWXhyZBznp4bi5uyi7oud1GjqkSRuJjqOzgdGBMv7h+PdUc=": {
        "user": "efrat.h",
        "client": "node-red-editor",
        "scope": "*",
        "accessToken": "some-access-token",
        "expires": 1620299518434
    },
    "vDJh8edGuBFaX5oLtC2PySVNUerX3PATeU1Ete2dGPt6VQzw48dK+NrGd+kfSL9gq8rO8RpKATz9N7NaebTI3RFv13e8AuZzvvH6UCx0Ar2J0A2DwpDMiM6vIQINOoe4vhfMOe+5g5+GGhNZk57zkIXeGhSa9dbiztendIYtQWE=": {
        "user": "efrat.h",
        "client": "node-red-editor",
        "scope": "*",
        "accessToken": "some-access-token",
        "expires": 1620300136561
    },
    "K8NxtQMmr1U5bYgJsgCFtAo7kotzYcuI0HG91HB0xpKMJJq1p+uh6HKlTU9gBynvRm7YL64HxRoCHdUyTdS0iq9+68RiDeXlJNVYZ+rDkcHr0LV5ZBfY/LZdQgmEbgO1D46TPkIUCKhaTHHaYQLM0qXO/gCOlX2EwBgxQtLc0cI=": {
        "user": "efrat.h",
        "client": "node-red-editor",
        "scope": "*",
        "accessToken": "some-access-token",
        "expires": 1620300832141
    }
}

Thanks

I'm using chrome

I think I understand the problem better, but still needs support -
I have several projects on the same server, each in its own container (running on docker), and I'm working on them simultaneously with my user, which is with LDAP auth.

Again, each of the flows/projects is on a different container completely, but still, I think that's what signs me off.
The question is what can I do with that?

Thanks