we have been using Node-Red in production for some years now, and everybody who knows me here knows I'm a big fan.
Up to this point we have mostly been using NR on local machines with no incoming internet access, but now have applications for running it with public ports exposed.
We've achieved this currently by producing our own native HTTP/HTTPS servers within a flow, and then exposing these ports as highly controlled single points of entry (e.g. we produced a WS port with custom authentication, etc., which can also respond to posts.... either with local certs and make it native https or behind an https endpoint - e.g. elastic load balancer by Amazon). This gives us confidence that we are only exposing what we want to expose.
The thought came to me that since I'm already abusing the NR internals, there should be some 'simple' way to take a request that arrives on our native nodejs server, and pass the request indirectly into some nominated HTTP-In node.
e.g. to have a list of 'allowed' urls, and if the url matches and auth succeeds, call the 'nodeApp' express server middleware so this request then hits the 'normal' NR flows.
The HTTP-IN node seems to register itself using RED.httpNode.xxx and remove itself from RED.httpNode._router.stack
Does this kind of approach seem viable? What challenges do you anticipate? Any hints on What to call on the express server would be useful :).