Hashing credentials for POST /auth/token

Not sure if this belongs into the Dashboard or General category, excuse me.

My purposes require me to make a request to /flows (just reloading, so I'm not passing any node information); incidentally I'll need bearer token from /auth/token , which expects my credentials in the request body.

I would pass them as a payload to the http-request node via a function-node, but it seems unwise to write my password into it, as plaintext - saved to the flows.json . I can neither use the hashed password from the settings.js , nor make use of the "Use authentication" option from http-request nodes (because -> expects body).

What are my options here?

Using Node-Red v1.0.2 btw

Only option i can come up with is "throwing one under the boss", having a dummy user with just the flows.write permissions, which can then request the token with the required permissions, but cannot access the Editor.

That dummy account would have a revealed password. And while he cant read the flows, he could still alter the system, if he knows what hes doing. In conclusion, a pretty bad idea imo, but the only option i can see right now.

To could use node-red-contrib-credentials (node) - Node-RED to securely store the password for your flow to use without exposing it.

Having a dedicated user is probably a good idea, although with flows.write permission then can change your flows to do anything.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.