Dashboard repeat authentication

I'm aware that I first raised this problem a number of years ago, but with the introduction of dashboard 2, and techie advances, it's probably worth raising again...

Using the recommended endpoint security, to ensure that the dashboard is password protected, works fine if you are accessing the dashboard on one device, but....
...the 'auth' only exists for that individual device, and if other devices connect, we need to complete username/password again :rage:

As an example;

  • laptop connects to dashboard - requires user/password
  • laptop connects to dashboard again - no auth req
  • phone connects to dashboard - requires user/password
  • tablet connects to dashboard - requires user/password
  • laptop again connects to dashboard - requires user/password again
  • phone again connects to dashboard - requires user/password again
  • phone connects to dashboard - no auth required

Surely Node-RED auth should respect individual devices to prevent this??

Does the same issue occur with flowfuse? or is auth handled differently?

Can't comment directly on D1 or Flowfuse security but a reminder that I generally recommend using external security, via a reverse proxy for example. Employing separation of concerns and a more battle-tested security approach is advisable.

Thanks Julian, if I was starting from scratch, I may consider using a reverse proxy, but this is already built and I don't want to mess up MQTT, Telegraf, Grafana, edge data inputs, cloudflare, SSL certs, etc.

Most other web app servers, such as Grafana remembers several devices at a time, and users can switch between them without having to continually log in. Whilst node-RED only remembers auth for the last device logged in, which is not good.

No problem, as mentioned I can't really comment on D1 or flowfuse's authentication.

As you point out, most web services allow multiple logins to the same account from different locations. Though this doesn't have to be the case and more secure systems would probably prevent it for safety.

I imagine that has something to do with whatever you've used to secure the connection not correctly managing sessions.

I'm using the Node-RED httpNodeAuth basic authentication as described: Securing Node-RED : Node-RED.

I was hoping that things may change with DB 2, but I believe it uses the same Auth mechanism.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.