After reading through this discussion, I developed a straightforward plugin that adds HTTP Basic Authentication as an option for implementing multi-user functionality in the Node-RED Dashboard.
To use this setup, you'll need a reverse proxy configured to set the X-Forwarded-User header with the authenticated HTTP user.
This approach is likely one of the simplest methods for adding user authentication to your Dashboard, because you just need a Webserver.
How to implement this is up to you. You basicly check for every incoming message e.g. who is pushing this button and then create an response based on the user and/or group.
@kitori is there any description or examples, how to do this ? I am not able to find anything completed.
F.e. I will have a node-red in separate network without internet. How is possible to create a multi tenant access to users .... in a small company to access a page with devices communicating over modbus ???? I do not need cloud solutions for it. many thanks for your directions.
You WILL need Internet somewhere in order to keep things current of course. However, there are tricks you can use to update a parallel instance and then copy things across.
If you want user authentication without the Internet, you have to set up your own internal service. In my opinion, the easiest approach is to use a reverse proxy (using NGINX, Caddy, HAProxy, or similar) and then configure that with an Identity and Access Management (IdM) tool. The proxy then handles all of the authentication and authorisation and adds suitable standard HTTP headers that Node-RED's Dashboard and/or UIBUILDER will recognise.
This creates a natural separation of concerns and allows the different services to focus on what they are good at. A search through this forum will highlight various discussions about how to do this.
I agree. Internet is mostly presented in every device.
But still exists situations and networks, which will be separated from outhere world. F.e. companies which have machines connected to own network, programable by one computer inside and disconnected from internet. So, this is f.e. critical infrastructure, coins pressing machines etc. May be, you will be surprised, but I know about something, as I mentioned.
Based on your last infos. Have you any example, how to do this ? Create own user management to acces users with multi tenant DB. I have had some attempts to create one, but so far without success.
Thanks.
It can be quite complex, it is true. I have written about it in the past but I don't have a fully working example, mostly because I've never needed it for myself and I've just never had the time to do a full example.
I would recommend splitting the problem into more manageable parts. There certainly are examples in the forum for setting up an NGINX or Caddy reverse proxy for node-red, so I'd start there. In parallel, lookup how to implement IdM for your chosen proxy and get that set up. Once all that is working, you will be able to compare the headers you get when accessing Node-RED endpoints via the proxy quite easily. Both D2 and UIBUILDER have documentation on what headers are supported. Obviously the access control part is the easiest since you can simply start by preventing any access to Node-RED endpoints via the proxy. (also obviously, you should prevent any access to Node-RED except via the proxy). Most of this is standard web server setup stuff, not really related to Node-RED.
