Creating User Authentication for Node Red UI Dashboards

I have a dashboard for an application. Few tabs / Groups need to be accessed by "Manager" Role ONLY while other should be visible / accessible to all roles. I created a flow where I can create this option using the "ui-control node". But I have got an issue. If Manager Role is logged in and does not log out during exit, then any one else accessing the dashboard, on same / different computer, can access all tabs / groups which are assigned for Manage role.
I want your help if any one has worked on such problem already and know any solution for this issue . My flow is given as below:

[
    {
        "id": "4c8d12aa.533cbc",
        "type": "ui_ui_control",
        "z": "e3742b89.114eb8",
        "name": "",
        "events": "all",
        "x": 620,
        "y": 1020,
        "wires": [
            []
        ]
    },
    {
        "id": "a9948f71.47707",
        "type": "inject",
        "z": "e3742b89.114eb8",
        "name": "",
        "props": [
            {
                "p": "payload"
            },
            {
                "p": "topic",
                "vt": "str"
            }
        ],
        "repeat": "1",
        "crontab": "",
        "once": false,
        "onceDelay": 0.1,
        "topic": "",
        "payload": "",
        "payloadType": "date",
        "x": 210,
        "y": 1020,
        "wires": [
            [
                "e9fcb881.c69c08"
            ]
        ]
    },
    {
        "id": "e9fcb881.c69c08",
        "type": "function",
        "z": "e3742b89.114eb8",
        "name": "Manager",
        "func": "var user = global.get('currentuser');\n\nif(user != \"Manager\")\n{\nmsg.payload =\n{\n    \"tabs\": {\n        \"hide\": \"User_Inputs\"\n        \n    }\n}\nreturn msg;\n}\n\nif(user == \"Manager\")\n{\nmsg.payload =\n{\n    \"tabs\": {\n        \"show\": \"User_Inputs\"\n        \n    }\n}\nreturn msg;\n}\n",
        "outputs": 1,
        "noerr": 0,
        "initialize": "",
        "finalize": "",
        "libs": [],
        "x": 400,
        "y": 1020,
        "wires": [
            [
                "4c8d12aa.533cbc"
            ]
        ]
    }
]

Dear Node Red Forum Friends,

Please review the above issue and help me on that with your suggestions.

You could add a timeout so after a while the user is changed.

Thanks for your reply. IN that case, if any user want to be logged in for quite sometime, he will be forced log out and has to login again. that may not be suitable in real life scenario.

You could reset the timer based on the users activity ?

OK, I think that may be a solution.

  1. Will it work for different users accessing the dashboard from different computers simultaneously.
  2. I am not sure how to capture the user activity and set limit monitoring for resetting the timer in that case. Please be so kind to give some hint / example reference.

It depends on what the user interaction is - eg if you have buttons on your "special" tab then clicking one could also reset the timer.

You would need to think about how the manager is using that tab, and identify ways to check that it is still in use.

If you have muliple computers in use, you should only show the tab on the one the manager is using.

Thanks, I will try this. It still feels like a work around.
Is there any real user authentication feature for Node-red dashboards available or can be created using some pre-defined nodes? I know we can set password in the settings file but then its same for all users.

It is a work around as node-red is not designed that way. If you search the forum you will find this is a very common question.

I would suggest putting all the groups required for manager on 1 tab and have them hidden. (Use ui-control to hide them whenever that tab is switched to.)

Have a button to "login", after successful verification, pass the message to ui control to show the groups, make sure that the "socketid:" property from the button press is included in the payload. This means that the groups will only be shown on that browser session.

Start a timer to logout, and reset timer after each relevant interaction.

After timer has expired hide the groups again.

1 Like