Custom user authentication and check request host

can some one help, how check host in adminAuth

Can you explain what you mean by that please.

this is about a http request, how check header x-forwarded-host or host ?

Do I understand correctly that there is no such possibility?

Probably not with the limited details you have provided.

Do you have a flow that shows what you have been trying to do?

I do not have any flow, I want to check the http.header host in adminAuth property

Sooo... To clarify...You want someone else to do your research and find your solution for something you haven't tried yourself, nor provided any clear details on precisely what, where and why?

there is documentation Securing Node-RED : Node-RED, it does not indicate how to use the http request in adminAuth, I ask if it is possible to use http request in adminAuth

but as I understand, there is no such possibility

as the lines just before that show - you can set your own httpAdminMiddleware which is a function where you can probably do whatever you like.

thx

I read about httpAdminMiddleware, but there the rule on all for admin / editor routes.
I only need authenticate page

the task is simple, if the http.header host is "test.example" then show the page authenticate

But you can check what route the request is for and decide whether to apply your logic or not.

Thank you
Did I understand you correctly that I would then have to rewrite all the authorization logic?

it seems to me it would be good to have access to req adminAuth , to find user ip/hostname/agent/.. and already build on this logic 'custom code to authenticate'

The way express middleware works is to pass to the next handler so if you don't want to handle it you just pass it on.

apparently I cannot explain correctly, I want to show /auth/ login only to users with req.hostname='test.com', other users must log in without authorization.

in the middleware it turns out, I need to check the hostname and if it is not test.com then somehow authorize the user without going to the /auth/login page

all this is not very convenient and it would be easier to write in adminAuth

or I just don't understand how you suggest using httpAdminMiddleware

Hi @twocolors

unfortunately the existing adminAuth system doesn't make it very easy to do what you are trying to do. But I think there is a way to do it.

adminAuth lets you provide a tokens function - that can be used to validate a user token if adminAuth doesn't recognise it as one of its own.

In your httpAdminMiddleware function, you could check the host and if it fails whatever test you want and it doesn't provide its own auth token via the Authorization header, you could add your own token to the request to show its is allowed in. Then in your tokens function of adminAuth, check for that token and preauthenticate the user with it.

The only piece of that I'm not 100% sure about is whether the middleware will be allowed to modify the request headers.

thx, you solved is help me

full code

    adminAuth: {
        type: "credentials",
        users: [{
            username: "admin",
            password: "$2a$08$ECvfFBqMjCVqGIHrOzfioOfx44Q9.M7ZfeOaq/Hm4C2UOgkuF/fAe", //admin
            permissions: "*"
        }],
        tokenHeader: "x-my-custom-token",
        tokens: function (token) {
            return new Promise(function (resolve, reject) {
                // Do whatever work is needed to check token is valid
                if (token == 'sameorigin') {
                    // Resolve with the user object. It must contain
                    // properties 'username' and 'permissions'
                    var user = { username: 'admin', permissions: '*' };
                    resolve(user);
                } else {
                    // Resolve with null as this user does not exist
                    resolve(null);
                }
            });
        },
    },
    httpAdminMiddleware: function (req, res, next) {
        if (req.hostname == 'localhost') {
            req.headers['x-my-custom-token'] = 'sameorigin';
            if (req.url == '/auth/login') {
                res.redirect('/');
            } else {
                next();
            }
        } else {
            next();
        }
    },

but it's not easy for the user to use, @knolleary could you consider adding req to adminAuth so that i can write a node (plugin) auth

thx @knolleary and @dceejay

2 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.