Basic Auth Memory Storage

Hello!

I'm not really sure where exactly to ask this, but I've been trying to learn more about the security around http-request nodes. Right now, I use a username and password in the http request node for basic auth. I just wanted to know if this information were saved anywhere? I've read about "httpAdminAuth", "AdminAuth", and "httpNodeAuth", but there doesn't seem to be a lot of documentation about them anywhere. If anyone could give me a bit more information, that'd be really helpful!

Thank you! :smile:

Hi @Hannahisme2533 - welcome to the community!

The username and password you enter in the HTTP Request node are handled as 'credentials' in your flow. That means they do not get stored in your main flow file, but get stored in a separate credentials file that sits next to your flows file. The credentials file is, by default, encrypted so that they are not stored in plain text.

The other things you mention (adminAuth etc) are about securing the Node-RED editor itself - rather than anything to do with what the flows are doing.

Hope that helps - happy to clarify any part I've not explain well.

Thank you! I know that the default MQTT node has a separate configuration node associated with it where it stores things, and it allows the node to be, say, copied and pasted (or exported/imported etc) and continue to hold the credentials. Is there any possible way to do this for the http request node?

No, the HTTP Request node doesn't have a config node associated with it.

The fact node's don't keep their credentials when copying/import/exporting is a security policy we have - it means you can't accidentally share your credentials when sharing your flow.

It can, however, be inconvenient when you really do want to take a copy with the credentials in. We do have an item on the backlog to do something in this area.

Oh, alright! I figured as much but being sure is always better than guessing, so thank you so much! You've been a great help :grinning_face_with_smiling_eyes:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.