Custom authentication tokens, In the case of source compilation, following the official example does not work

I want to secure Node-RED using a token. I am embedding Node-RED within my website, and I want access to Node-RED to be restricted only through the website. An example of this is provided below:

 adminAuth: {
        tokens: function(token) {
            return new Promise(function(resolve, reject) {
                // Check if the token is valid
                if (token === 'rdp2vex0nq4mzl8tf8hba1tpr5umtmzn') {
                    // Resolve with the user object
                    var user = { username: 'admin', permissions: '*' };
                    resolve(user);
                } else {
                    // Resolve with null if the token is not valid
                    resolve(null);
                }
            });
        },
    
    },

I've managed to secure access to Node-RED. However, I feel like it's not the right way, but it works.
the problem is there is no protection on Nodes itself, for example, the Node-RED dashboard.
I've seen this concept implemented in home assistant, but I don't understand how

Leaving aside that the example is certainly NOT, in any way secure.

The example shows authentication for the admin web service - e.g. the Editor and related API's. The user-facing web service used by things like dashboard, http-in/-out, the websocket nodes, UIBUILDER (by default though it can have its own separate server if desired), etc - is secured separately.

This is my adminAuth configuration.

adminAuth: {
       type: "credentials",
       users: [{
           username: "admin",
           password: "$2a$08$zZWtXTja0fB1pzD4sHCMyOCMYz2Z6dNbM6tl8sJogENOMcxWV9DN.",
           permissions: "*"
       }],
       tokens: function(token) {
            return new Promise(function(resolve, reject) {
                if (token == 'test') {
                    var user = { username: 'admin', permissions: '*' };
                    resolve(user);
                } else {
                    resolve(null);
                }
            });
        },
        tokenHeader: "token"
    },

The final page rendering appears like this, how can I remove the login box?

How are providing the access token when you load the editor in the browser? With that configuration, it will look for an authentication token in the token http header.

I have included the token in the header, and attempting to access via http://127.0.0.1:1880?access_token=test also fails.

Are headers case insensitive ? because in your screenshot it shows Token with capital T
Did you try tokenHeader: "Token" ?

http headers should be case insensitive according to the standards.

1 Like

May I ask, dear experts, how should we proceed to troubleshoot the issue at hand?

I believe you are saying that your adminAuth configuration is working - you have secured access to the editor.

Your question is how to secure Node-RED dashboard and other HTTP routes created by your flows.

Ben has replied to your question on GitHub here with pointers to how to secure the node routes: AdminAuth using token fails · Issue #2642 · node-red/node-red · GitHub

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.