High availability login/auth issue


I have node-red hosted on openshift with high avalibilty (2 pods parallel) and i have issue with login:

When i access node-red directly and login everything works fine.

The problem is when i want to login this way:

  • POST on /auth/token
  • access node-red without login using /?access_token=
    (This happens automatically, to load node-red in iframe)

Sometimes it works sometimes no. I think it is related to high availability becouse when i shut down one of pod everything works fine. I checked .sessions.json files on both pods and they were the same, both containing tokens that not work. I noticed also when i sucesfully log in those tokens that dont work magically disappear from sessions file.

I have persistent volume (same for two pods). I was analizing node-red source code but i didnt find anything that could cause this behaviour ( I thought that maybe there are some conflicts with saving/opening file).

Could somebody help me with any suggestions how to fix that? ( not by deleting high avaliblity :smiley: )

I find the solution. If anyone is interested, if i am not wrong node-red process loads sessions file only once so if another process ( another pod in my problem) overwrites it changes wont be visible for other.

Quick solution is to commenting if in loadSessions function in node_modules/@node-red/editor-api/lib/auth/tokens.js
However wouldn`t it be possible to add some settings option for that?

function loadSessions() {
   // if (loadedSessions === null) {
        loadedSessions = storage.getSessions().then(function(_sessions) {
             sessions = _sessions||{};
             return expireSessions();
   // }
    return loadedSessions;

Running 2 interactive instances isn't going to work, the flows won't be kept in sync, when you deploy only one of the instances will get updated.

What problem are you actually trying to solve here by running multiple instances?

Yes, you are right, for keeping flows in sync additional development is needed. We developed some sort of notification system what detects deployment on one pod and tells second pod to reload flows, everything is in sync.

I mean there is no problem to solve, I just have system where i have something like Active-Active High Availability Cluster.

Btw solution I wrote above dosent work. What will work is to reload session file each time somebody enters link with /?access_token= before validation. However I am searching and searching and cannot see that anywhere in source code, does somebody know where logic of handling login with access_token in url is placed?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.