In have set an encryption key in settings.js, and my credentials are being encrypted properly into flows_cred.json. However, I can still see the password value in clear text in the flows.json file. Only after some time it is converted to an obfuscated, "__PWD__" format.
Is there a reason for this (temporary) security breach?
(I am not using 'Projects' mode here)
There is something I don't understand: if the property is a password how can it be defined in the flows file?
Exactly which credentials are you talking about? Can you post a simple flow showing the problem and explain what we have to do to see the password unencrypted?
Plain text credentials are never written to the flows.json on disk and they are never returned to the browser from the backend, they will always be replaced by __PWD__.
If you enter a new credential into a node, it will be in memory in the browser until that change is deployed (because it has to be somewhere until it's sent to the backend). But at the point it is deployed it should be updated with the placeholder.
As Colin asked, if you can provide more details of exactly where you are seeing this and what nodes you are seeing it with then we can investigate if the above description does not match what you are seeing.
1 Like
Thank you for your replies. Here is the walkthrough:
I Developed a custom node called "FV_Credentials", which includes a config node which stores various connection parameters, some of which are passwords. I defined these passwords as "Credentials" in the HTML & JS files and they are saved & retrieved properly.
But watch the sequence below:
- I open a new, clean implementation. Both
flows.jsonandflows_cred.jsonfiles are empty:
- I now drag the node to the empty canvas, open it, add a new config node, and enter
User name=Omri, password=1234(the password's parameter name isfv_b_Password)
. - Now I close the node and DEPLOY
- I reload the cred file - it has been encrypted & populated properly.
- However, when I reload the flows file, I can clearly see the password value ("1234")
- once I start playing with the flow - add nodes, run flows etc., the password value is changed to
__PWD__as it should
Am I doing something wrong? Below are the relevant node code segments where I, specify the credentials.
HTML:
RED.nodes.registerType('FV_Set-Credentials-config',{
category: 'config',
credentials: {
fv_b_Password: {type:"password"},
fv_o_Password: {type:"password"},
fv_o_ClientSecret: {type:"password"}
},
defaults: {
name: {value:""},
fvHost: {value:"http://"},
fvAuthMode: {value:"basic"},
fv_b_User: {value:""},
fv_b_Password: {value:""},
...
...
<div class="form-row">
<label for="node-config-input-fv_b_Password"><i class="fa fa-tag"></i> Password</label>
<input type="password" id="node-config-input-fv_b_Password">
</div>
...
JS:
...
RED.nodes.registerType("FV_Set-Credentials-config",FV_SetCredentialsConfigNode, {
credentials:
{
fv_b_Password: {type:"password"},
fv_o_Password: {type:"password"},
fv_o_ClientSecret: {type:"password"}
}
});
Remove all properties you have declared in the credentials object from the defaults object. (Don't put the properties in both)
Also, since you are developing a node, please use the Developing Nodes category (that way we know you are developing a node and not just asking a general question about using node-red)
1 Like
Thanks, Steve! This makes sense and indeed solved the issue.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
