How to assure that some flow constants (like API keys) also become stored in the credentials file?

#1

Context:
I am using the node-red github project feature for my flows running on a raspberry pi.
One of the flows is using a dashboard template node with the following code:

<iframe style="width:580px; height:400px;" frameborder="0" scrolling="no" marginheight="0" marginwidth="0"
src="http://192.168.1.131/emoncms/vis/multigraph?mid=3&embed=1&apikey=6f0......16a"></iframe>

The problem
When pushing my local changes to github it is also pushing the apikey in readable format to github. So the complete world can figure out what my API key is.

Is there a way we can assure that those apikeys become stored in the node-red credentials file in encrypted format ?

#2

This is an interesting use case we ought to cater for better in the core.

For now, contrib node exists for storing custom data in the credentials file:

I've not used it, but would be a starting point for what you need - you'll need to update you flow to retrieve the credentials from that node and pass them into your uitemplate node to update it.

2 Likes
#3

Perhaps this could be catered for via another variable type? We have global, flow & context variables. Could we have a credential variable? That way, it could easily be added to existing nodes with minimal change. Just a thought, it certainly would be useful.

The credentials node works fine last time I used it but closer integration with core would be more useful and comfortable.

#4

For me the credentials node works fine and is an acceptable solution. Of course I have no objections that the core is adapted for it. I am only thinking that it might not be that easy to change the core for this in a proper way while at the same time the credentials node also provides a solution for this problem.

Maybe the only concern is that I have assumed that the code of the credential node is secure. The current installed version is secure but as the code is not managed by the node-red team we can imagine following maybe paranoid scenario:

  1. github account of the credential node owner got cracked
  2. credential node code got updated by malicious person so that it will share the credentials, …
  3. when people update or install latest version of credential their system becomes compromised (credentials become shared by malicious person)

I am more than happy to take this little risk and most likely (knowing this) I will also not blindly upgrade the credentials node.

One solution to this risk is to incorporate the credentials node in the node red core nodes. This way it is managed by the node-red team and the risk that this code becomes hacked is close to zero.

1 Like