I want to secure Node-RED using a token. I am embedding Node-RED within my website, and I want access to Node-RED to be restricted only through the website. An example of this is provided below:
adminAuth: {
tokens: function(token) {
return new Promise(function(resolve, reject) {
// Check if the token is valid
if (token === 'rdp2vex0nq4mzl8tf8hba1tpr5umtmzn') {
// Resolve with the user object
var user = { username: 'admin', permissions: '*' };
resolve(user);
} else {
// Resolve with null if the token is not valid
resolve(null);
}
});
},
},
I've managed to secure access to Node-RED. However, I feel like it's not the right way, but it works.
the problem is there is no protection on Nodes itself, for example, the Node-RED dashboard.
I've seen this concept implemented in home assistant, but I don't understand how
I'm having the same problem, can you solve it?
Unfortunately, I have deleted the project, but I have worked on the idea and it succeeded. I need only one expert in Node.js to build a powerful tool that connects between these two frameworks, Django and Node-RED. Now, I will explain the idea to you. It may seem complicated, but it ensures security. First, you need to add middleware in Node-RED. This will be possible in the version available on GitHub. The function of this middleware is to ensure that the same person registered in Django is the one who wants to access Node-RED. But how? Through the session ID that Django puts once logged in. I'll provide you with code that clarifies this process. Now, the question is: how can it confirm that the session ID is the same in Django and registered, and also specific to a certain person? I mean, that person has the permission to access it... The sessions are stored in a table called django_sessions in the database, and the data is encrypted and cannot be accessed except by decryption. The tool capable of this is Django, through creating a REST API between both Django and Node-RED, where it sends the session ID, and Node-RED verifies it with Django and Django responds if the person is allowed. However, this opens a loophole. This can be prevented by also encrypting the request, which will prevent the theft of the session ID. The second question is how to prevent spam requests. This can be done by adding middleware in Django to block any requests coming to the part responsible for the REST API, except from specific addresses. This is preferable, especially when using Docker and specifying allowed hosts to access the Django REST API for retrieving user data.
The data is encrypted and cannot be decrypted to obtain the session ID belonging to any member except through Django
Here is an example of decrypting the data; you can use a REST API.
There's a problem here: any request, even a simple image request from within Node-RED, will trigger a request to Django to confirm the session. This presents an issue because the page will have multiple requests, potentially leading to increased traffic. To mitigate this, we can add a JavaScript object. At the start, it fetches all the allowed session IDs and their expiry dates for each individual. If any modifications occur, Django sends the updated data to Node-RED. I didn't implement this initially because the traffic was low, with only five users making modifications. Secondly, I reduced traffic by storing session IDs in the JavaScript object. Instead of sending requests to Node-RED, when a request with a new session ID is sent, I request all allowed session IDs and update the JavaScript object.
If anyone is skilled in Node.js and is willing to build an open-source tool to bridge Node-RED and Django, I'm ready to collaborate with them
I apologize for the late response. I didn't receive a notification of your reply to my post
you can import nod red in django page by iframe this exmple show the test of code in first picture
this show how sessons id work
It appears to me as though you are trying to manually re-create an authorisation capability that should exist as a standards-based service outside both Django and Node-RED. Creating your own authorisation capability is hard and error prone. It would likely not stand up to a security audit.
This might not be an issue to you but if you are offering anything of value to customers, I would advise you to get a security consultant to help you use a more robust approach.
Firstly, the request (concerning the information about sessions authorized to access Node-RED) between Node-RED and Django only occurs through a specified network, which provides a lot of security. I managed this because I use Docker Swarm, and I specified this by adding middleware to Django to ensure that these types of requests are only allowed through that network. Secondly, I encrypted the information between the two parties using a cipher with a key known to both parties, for both the request and the response.
I am not a cybersecurity expert; I am just trying to implement some ideas and seeking more support to bring these ideas to light. I abandoned the project not because of security issues but because working alone is quite demotivating. There are still many issues, not related to security but to connecting Django's WebSocket with Node-RED. There is still a lot of work to be done, such as creating some custom nodes in Node-RED for Django, similar to Home Assistant, which is beyond my current capabilities
Lastly, I am not offering this work to clients. I really don't understand why we in the Middle East do not use Node-RED. I have visited many companies for training and proposed the idea of working with Node-RED. I don't know why they prefer to pay money to Amazon, Google, or other corporations. Even stranger, they create simple applications that lack even the most basic security measures, such as creating a web page on an Arduino and allowing access to it to reach sensors or actuators.
2 Likes
OK, thanks for setting the scene. The fact that Node-RED is used in everything from simple home automation to major enterprises means that we can't really make assumptions.
I can't really help with the question as posed. I would still recommend doing the authentication and authorisation for both systems externally.
