I'm aware that I first raised this problem a number of years ago, but with the introduction of dashboard 2, and techie advances, it's probably worth raising again...
Using the recommended endpoint security, to ensure that the dashboard is password protected, works fine if you are accessing the dashboard on one device, but....
...the 'auth' only exists for that individual device, and if other devices connect, we need to complete username/password again
As an example;
laptop connects to dashboard - requires user/password
laptop connects to dashboard again - no auth req
phone connects to dashboard - requires user/password
tablet connects to dashboard - requires user/password
laptop again connects to dashboard - requires user/password again
phone again connects to dashboard - requires user/password again
phone connects to dashboard - no auth required
Surely Node-RED auth should respect individual devices to prevent this??
Can't comment directly on D1 or Flowfuse security but a reminder that I generally recommend using external security, via a reverse proxy for example. Employing separation of concerns and a more battle-tested security approach is advisable.
Thanks Julian, if I was starting from scratch, I may consider using a reverse proxy, but this is already built and I don't want to mess up MQTT, Telegraf, Grafana, edge data inputs, cloudflare, SSL certs, etc.
Most other web app servers, such as Grafana remembers several devices at a time, and users can switch between them without having to continually log in. Whilst node-RED only remembers auth for the last device logged in, which is not good.
No problem, as mentioned I can't really comment on D1 or flowfuse's authentication.
As you point out, most web services allow multiple logins to the same account from different locations. Though this doesn't have to be the case and more secure systems would probably prevent it for safety.
I imagine that has something to do with whatever you've used to secure the connection not correctly managing sessions.
