Node-RED itself has somewhat basic support for users but possibly not enough for what you want. However, you can do some integration with things like PassportJS since Node-RED runs using NodeJS. Info for that is in the main docs.
Mike Blackstock also created the node node-red-contrib-users which might help you. It also creates a JWT token which will help you secure your front-end code too.
An alternative approach would be to create a custom NodeJS application - there are plenty of examples with user management - and then embed Node-RED to use for the business logic.
Lots of ways to do it. As you say though, perhaps not as well documented as it might be.
One thing to remember. Node-RED is really 2 web services. One for the administrative interface and one for the user interfaces.
One final point. Don't forget to think about the security of the websockets interface as this is somewhat separate to the main http user web interface.