Can users be set for authentication without passwords in the `users` array?

According to certain examples in the Securing Node-RED : Node-RED guide there are mentions of users within the users array that do not seem to have a password. Is this a typo or does the Auth Engine allow users with only permissions?

The only example of that I can see is in the context of the Twitter OAuth example. In that instance, users login via Twitter, so no password is required. The users array is used to then identify what permissions a logged in user has.

Okay Thanks. Would that same example be able to work with Basic Authentication from an external proxy?

Do you mean you want to do authentication entirely in the proxy and then somehow tell Node-RED about who is logged in?

You would need to pass some identifying token from the proxy to Node-RED so it knows who the user is. Securing Node-RED : Node-RED describes how that might work.

But I cannot say I've ever configured it in quite that way.

I have been doing some trials on creating a middleware that can read HTTP Headers either Authorization: Basic <base64encode> or using a custom header X-WebAuth-User: <username> but I fall short when it comes to setting the users array.

This is because users array, albeit set via a Middleware will still redirect me to the login page and since I do not have a password set (reverse proxy only forwards the authenticated user) I cannot log the respected user in.

The link I pointed you at doesn't involve middleware at all.

If you are able to configure the proxy to add a custom header that identifies the user, then you can use the tokens and tokenHeader properties of adminAuth to read that header and return the appropriate user object for it.

Ah! Fantastic ! I was over-engineering the solution.

I have been able to setup the following token based middleware:


module.exports = {
  type: "credentials",
  default: function() {
    return new Promise(function(resolve){
  tokens: function(token) {
    return new Promise(function(resolve, reject) {
      const username = token;
      var user = {username: username, permissions: ""};
      if (username == "admin") {
        user['permissions'] = "*";
      } else {
        user['permissions'] = "read";
  tokenHeader: 'X-WebAuth-User'


adminAuth: require('./user-authentication'),

And things seem to be working, I am not sure at this point where I would need to use the users but I think I won't.


This won't work because the editor will not let me deploy flows :confetti_ball: IT WORKS!!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.