[EDIT] Displays if a new Node-Red update is available online, and update it from the Dashboard

in settings.js i read this :

    // Securing Node-RED
    // -----------------
    // To password protect the Node-RED editor and admin API, the following
    // property can be used. See http://nodered.org/docs/security.html for details.
    //adminAuth: {
    //   type: "credentials",
    //   users: [{
    //       username: "xxxxxxxxxxxxxx",
    //       password: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    //       permissions: "*"
    //   }]
    //},

So , mine is not secure . Can you test with modification in the 'HTTP local request' node:


put your credentials

Thank you for your fast reply. Thats what I already tried but that didn´t worked:
pic

EDIT: My code in the settings is not disabled but you posted the part which is the one I enabled to have a password protection. I wouldn´t like to disable the password.

can you say more about the hardware? Node-Red is running on which device?
Have you tried typing this address in a browser (chrome ...) : http://192.168.1.54:1880/settings to access the settings from another device on the same network.
Replace 192.168.1.54 with the IP address of your hardware where run Node-Red

Sure. I am running it on an Raspberry Pi 4 and I tried to access the settings from the browser of the raspberry itself. The result is the same: "Unauthorized".
This: pic
PS: setting are also included.

EDIT: I am no expert in auth-stuff but I think it s no typical basic auth used by Node Red.

Same as you ! I am not an expert in security. Maybe @TotallyInformation can help us?

Maybe I know the file where the version is stored in I could use "file in" node to read / parse it from there.

If you have admin auth set up, you cannot access the settings unless your current browser session is logged in. If you go to the normal Editor page in the same browser session and log in, you should then be able to see the output. Just tested that on 2 of my instances and it works.

Thanks Julian, If I understood correctly :

  1. we connect to the NR editor with his credentials
  2. we open, from the same editor, the Dashboard
  3. the local "http request" can access the parameters because it is already logged by the editor.

Have you try this @WhiteLion ?

1 Like

Even if I use the opened editor tab where I logged in and change the address from:
"http://192.168.0.60:1880/#flow/5662d35d.4bffec" to "http://192.168.0.60:1880/settings" it will give me the "unauthorized" message.

Can you temporarily comment the lines about adminAuth and reboot NR. Just to confirm that you have access to the settings, without NR security ?
Therefore, there is no reason why it should not work, as our security expert testifies :wink:

I am very sorry for my late answer... real live got me :slight_smile:
If I disable the password in the settings like you requested it works.
pic

I am happy that it works without authorization, but unfortunately I do not know what to answer you in the event that you activate the security. :frowning_face:

maybe there is a way to parse the version number from a file. I tested to read a file from pi/.node-red/ and it worked (no access violation). But I could not find out where/if the version number is stored there.

It is to be expected that the URL "http://192.168.0.60:1880/settings" will give the "unauthorized" message as long as NodeRED has been secured using adminAuth:
But I was expecting the http request node to handle this correctly when adding:

image

.... or am I mistaken? Cause it certainly still returns "unauthorized"

I saw that the 1st http (local) request node indicates :
actualVersion: "v"
Check that there are 36 in the "substring" Function node
str.substring (31.36);
In this function I extract 5 characters from the payload from position 31 to 36

did you try this ? :

@SuperNinja, sorry - but the English in this post doesn't make any sense to me at all. Can you pls "translate" ?

When you open Node Red does it ask you for a username and password like this ?
image

Great work :slight_smile:

1 Like

@knolleary pointed me in the right direction. I had to use bearer authentication and supply a valid access token to avoid the "unauthorised" error. Then it works.