Hi! I would like to secure node-red with 2FA and a dedicated app (I'm actually using Authy for other services).
What I've found in the forum and in Node-Red's support pages hasn't helped me enough. Could someone explain me how to activate the new authentication method please? Thanks!
Not especially easy. Even I've not bothered to try it as yet. You will need an authy recipe for PassportJS which you will need to link to node-red via the appropriate property in settings.js.
An alternative and potentially easier way would be to use an Authy recipe for NGINX, using NGINX as a reverse proxy for Node-RED.
I've published some NGINX config for Node-RED not so long back in the forum here.
There is an Authy recipe for NGINX here: Adding 2-Factor Authentication to any Web App using Nginx • Sean's Blog (seantodd.co.uk) - not tried it though so don't know how good it is. - Oops! Though that is 2FA, it isn't Authy, sorry - dratted Google searches seem to be getting worse quality recently. Well this search turns up a few relevant articles anyway: nginx authy - Google Search
Thanks @TotallyInformation , I really would avoid using NGINX because it is not so simple making it work (in fact I'm using caddy v2 because configuring it wasn't a pain, undoubtedly.
Meanwhile I've set OAuth authentication with Google and Passport following that thread but something has gone wrong because every Google user could login in my node-red, so I've restored the basic internal authentication method.
Glad you got it going.
Would be very cool if you wrote this up in #share-your-projects for future readers?
Cheers.
1 Like
Hi @Steve-Mcl ok I'll do it, but for now I prefer to write the steps here since I still have to figure out how enable the httpNodeAuth and httpStaticAuth for the google user.
Ok, that is what I did.
In my Google console project dashboard I have first configured the OAuth consent screen. First step: User Type: external.
Saved and moved to the next step.
Selected my email from the menu, filled the Authorized domains and Developer contact information,
saved and moved to the next step.
Added the scopes. In the Manually add scopes field I wrote email. Saved and moved to the last step.
Finally, I added my google email, Saved twice. OAuth consent screen configured.
Next step, I have created OAuth credentials. The following screenshot should be clear.
Now with the credentials I moved to configure node-red itself.
First, stop node-red.
Installed passport-google-oauth20.
npm install passport-google-oauth20
Then I have changed the adminAuth section to
adminAuth: {
type: "strategy",
strategy: {
name: "google",
label: 'Accedi con Google',
icon: "fa-google",
strategy: require('passport-google-oauth20').Strategy,
options: {
clientID: 'your ClientID',
clientSecret: 'your SecretKey',
scope: 'email',
callbackURL: "https://yournodered.yourdomain.xxx/auth/strategy/callback",
verify: function (token, tokenSecret, profile, done) {
profile.username = profile.emails.constructor === Array ? profile.emails[0].value : null;
return done(null, profile);
}
},
},
users: [
{ username: "youremail@gmail.com", permissions: ["*"]}
]
},
Saved and restarted node-red.
If everything is fine the new login screen should be like that:
That's all.
I have commented the httpNodeAuth and httpStaticAuth sections because I would know if I can generate a password for my gmail new user as described here.
// httpNodeAuth: {user:"mebeforegoogleoauth",pass:"(see https://nodered.org/docs/user-guide/runtime/securing-node-red)"},
// httpStaticAuth: {user:"mebeforegoogleoauth",pass:"(see https://nodered.org/docs/user-guide/runtime/securing-node-red)"},
3 Likes
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
