We have two different UIs. One for the entire system and Node-RED.
Basically, the idea is to delegate the authentication entirely to an external API (same that works for the main UI).
That way, if you come through the main UI, or login via Node-RED, you end up with the same token and authentication methods.
There are 2 possible flows, i.e:
1 - noderedwebserver:1880/?access_token=<ACCESS_TOKEN>
token gets check via settings.adminAuth.tokens()
2- noderedwebserver:1880 --> login via Node-RED editor
Credentials get checked via settings.adminAuth.authenticate()
A token is received (from the external API) and returned back via settings.adminAuth.authenticate() resolve(possibly) for subsequent checks via settings.adminAuth.tokens()
All that is needed is to store the token when the settings.adminAuth.authenticate() resolves. I'm not entirely sure, but it should be possible to send a token together with username and permissions, that then get stored (on localStorage.auth-tokens) instead of the Node-RED token, and used in settings.adminAuth.tokens().
I'm willing to make the changes myself, if possible, with a little guidance. It should not be a breaking change, as if the return from settings.adminAuth.authenticate() resolves no token, life goes on as it is today.
Then, I changed node-red/packages/node_modules/@node-red/editor-api/lib/auth/strategies.js -> Users.authenticate(username,password) function to check for the token. If found, call done with the user.token instead of calling Tokens.create().
In addition, this solution is future proof, if you decide to change where the token is stored (since @knolleary mentioned this was something they would planning on changing in the near future), as it uses the same mechanism to save the token as it is done today.
Please let me know if this could be a solution so I can work on it, test it more, and open a PR.
There is a very easy way to do this without needing any changes to Node-RED. Use an external reverse proxy to do the authentication. I've been writing some documentation on using NGINX to do this recently and I've already shared drafts in this forum. My doc is aimed at uibuilder but it equally works for any Node-RED installation along with Dashboard, uibuilder and other non-NR web apps.