According to certain examples in the Securing Node-RED : Node-RED guide there are mentions of users within the users
array that do not seem to have a password. Is this a typo or does the Auth Engine allow users with only permissions?
The only example of that I can see is in the context of the Twitter OAuth example. In that instance, users login via Twitter, so no password is required. The users
array is used to then identify what permissions a logged in user has.
Okay Thanks. Would that same example be able to work with Basic Authentication from an external proxy?
Do you mean you want to do authentication entirely in the proxy and then somehow tell Node-RED about who is logged in?
You would need to pass some identifying token from the proxy to Node-RED so it knows who the user is. Securing Node-RED : Node-RED describes how that might work.
But I cannot say I've ever configured it in quite that way.
I have been doing some trials on creating a middleware that can read HTTP Headers either Authorization: Basic <base64encode>
or using a custom header X-WebAuth-User: <username>
but I fall short when it comes to setting the users
array.
This is because users
array, albeit set via a Middleware will still redirect me to the login page and since I do not have a password set (reverse proxy only forwards the authenticated user) I cannot log the respected user in.
The link I pointed you at doesn't involve middleware at all.
If you are able to configure the proxy to add a custom header that identifies the user, then you can use the tokens
and tokenHeader
properties of adminAuth
to read that header and return the appropriate user object for it.
Ah! Fantastic ! I was over-engineering the solution.
I have been able to setup the following token based middleware:
user-authentication.js
module.exports = {
type: "credentials",
default: function() {
return new Promise(function(resolve){
resolve(null);
});
},
tokens: function(token) {
return new Promise(function(resolve, reject) {
const username = token;
var user = {username: username, permissions: ""};
if (username == "admin") {
user['permissions'] = "*";
} else {
user['permissions'] = "read";
}
resolve(user);
});
},
tokenHeader: 'X-WebAuth-User'
};
settings.js
adminAuth: require('./user-authentication'),
And things seem to be working, I am not sure at this point where I would need to use the users
but I think I won't.
Edit
This won't work because the editor will not let me deploy flows IT WORKS!!
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.