I have a custom API that fetches data from a datasource on click of a button from the node-red dropdown menu.
Location of the API:
This works as expected but I wan to encapsulate this under runtime authentication. Something similar to
Expected Behavior: If the user is logged in only then he has access to /test api
Current Behavior: The /test API is open and has no authentication in place.
Any pointers on how to achieve this?
If you look at the
adminApp.get call you've shared, you'll see the
needsPermission("flows.read") middleware - that is what enables authentication on the endpoint. You'll need to pick the right permission to require - the string passed to the function.
The permission takes the form of
XYZ.write - depending on whether it requires read-only or full read/write access.
Yes, I figured that part out.
So when I do
I guess my question is where do I define scope of this new permission?
I can't figure out how
needsPermission("flows.read") is enabling authentication.
needsPermission function returns a middleware that handles the request before it reaches your
test.get function. That middleware checks if the user making the request has the required permission.
You don't have to predefined the permission anywhere. As long as the permission string takes the form
XYZ.write then it will work as expected.
As per the docs users either have the permission
*. If it is
read then they are allowed to access anything with a
XYZ.read permission. If it's
* then they can access everything.
The reason for the
XYZ part of the permission is to identify the type of resource being accessed - which allows for some finer-grained permissions. For example, a user couple have a permission of
["read", "inject.write"] - this would allow them read-only access to the editor, but would be able to trigger any inject nodes.
Thanks very much for clearing this up, @knolleary
needsPermission was returning unauthorized for one of my custom API.
I finally figured it out.
Incorrect path in HTTP get request
Finally got it working.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.