Custom Admin API with authentication

General
1

Hi,

I have a custom API that fetches data from a datasource on click of a button from the node-red dropdown menu.

Location of the API:
packages/node_modules/@node-red/editor-api/lib/admin/index.js

adminApp.get("/test",test,apiUtil.errorHandler);

This works as expected but I wan to encapsulate this under runtime authentication. Something similar to

adminApp.get("/flows",needsPermission("flows.read"),flows.get,apiUtil.errorHandler);

Expected Behavior: If the user is logged in only then he has access to /test api
Current Behavior: The /test API is open and has no authentication in place.

Any pointers on how to achieve this?

Thanks!

2

Hi @ashish-y

If you look at the adminApp.get call you've shared, you'll see the needsPermission("flows.read") middleware - that is what enables authentication on the endpoint. You'll need to pick the right permission to require - the string passed to the function.

The permission takes the form of XYZ.read or XYZ.write - depending on whether it requires read-only or full read/write access.

3

Thanks @knolleary.

Yes, I figured that part out.

So when I do
adminApp.get("/test",needsPermission("test.read"),test.get,apiUtil.errorHandler);
It's unauthorized.

I guess my question is where do I define scope of this new permission?
I can't figure out how needsPermission("flows.read") is enabling authentication.

4

The needsPermission function returns a middleware that handles the request before it reaches your test.get function. That middleware checks if the user making the request has the required permission.

You don't have to predefined the permission anywhere. As long as the permission string takes the form XYZ.read or XYZ.write then it will work as expected.

As per the docs users either have the permission read or *. If it is read then they are allowed to access anything with a XYZ.read permission. If it's * then they can access everything.

The reason for the XYZ part of the permission is to identify the type of resource being accessed - which allows for some finer-grained permissions. For example, a user couple have a permission of ["read", "inject.write"] - this would allow them read-only access to the editor, but would be able to trigger any inject nodes.

6

Thanks very much for clearing this up, @knolleary

needsPermission was returning unauthorized for one of my custom API.
I finally figured it out.

Incorrect path in HTTP get request :stuck_out_tongue:

Finally got it working.

Cheers!