How to detect login to the Editor

Imagine a Node-RED use case where the user (that is an IT specialist) is allowed to access Node-RED editor from times to times (for whatever reason - not relevant to the question). As the owner of this application I will configure adminAuth in the settings file for the authorized user. For security and operational audit purposes I want to register in log whenever the user enters the editor.

I can recall two events that may (perhaps ?) indicate a login.

The first one is that the token is stored in the .sessions.json file.
Second, it seems to me that something gets logged in /var/log. Below extract shows the log when an user enters Node-RED editor with adminAuth configured (on the other hand I tried to login with a wrong password and nothing was shown in the screen).

20 Oct 14:09:43 - [trace] utils.writeFile - written content to /home/pi/.node-red/.sessions.json.$$$
20 Oct 14:09:43 - [trace] utils.writeFile - renamed /home/pi/.node-red/.sessions.json.$$$ to /home/pi/.node-red/.sessions.json
20 Oct 14:09:43 - [trace] comms.open laBu/uuO

What is exactly the comms.open event ? Is this related to the login or someting else ?

Is there any other kind of event that might help to detect when someone logs to the editor ?

Can you expand on that? I assume that you mean when a user opens the Editor URL? Not that they may have switched away from the Editor tab and then back again (which might be considered an "entry" in web terms)?

Right, I wanted to detect (if possible at all) when the user opens the editor URL.

I guess your question is relevant given that the login screen for the editor will not show up every time someone enters the editor, right ?

No, the login only appears when a user loads the editor url after the session has expired. Though I think it will also show up if the user tries to do something on the page and the session has expired - though you might need to test that.

I think that the default session is 7 days. So someone like me who always leaves their browser open and simply sleeps their PC will not technically have "left" the page - though that is further complicated by browsers that put tabs to sleep. Do you see why security is so complex?!

The easy answer to this is the same one I keep repeating to people asking about node-red security. Put everything behind a reverse proxy. Then access to the Editor will be tracked in the web server's logs not node-red.

1 Like

@Andrei if you enable the audit log option in your settings file, you'll get log events for all activity.

2 Likes

Works nicely. Thank you Nick.

20 Oct 19:04:29 - [audit] {"event":"comms.open","level":98,"timestamp":1666303469037}
20 Oct 19:04:29 - [trace] comms.open l0Xexy/vJRq87HH4kG5GZ0SuL5t25PwPumszTtnHI+A=
20 Oct 19:04:29 - [audit] {"event":"comms.auth","user":{"username":"admin","permissions":"*"},"level":98,"timestamp":1666303469159}
20 Oct 19:04:29 - [audit] {"event":"plugins.list.get","level":98,"user":{"username":"admin","permissions":"*"},"path":"/plugins","ip":"192.168.68.200","timestamp":1666303469262}
20 Oct 19:04:29 - [audit] {"event":"plugins.configs.get","level":98,"user":{"username":"admin","permissions":"*"},"path":"/plugins","ip":"192.168.68.200","timestamp":1666303469673}
20 Oct 19:04:29 - [audit] {"event":"nodes.list.get","level":98,"user":{"username":"admin","permissions":"*"},"path":"/nodes","ip":"192.168.68.200","timestamp":1666303469741}
20 Oct 19:04:30 - [audit] {"event":"nodes.icons.get","level":98,"user":{"username":"admin","permissions":"*"},"path":"/icons","ip":"192.168.68.200","timestamp":1666303470014}
20 Oct 19:04:30 - [audit] {"event":"nodes.configs.get","level":98,"user":{"username":"admin","permissions":"*"},"path":"/nodes","ip":"192.168.68.200","timestamp":1666303470106}
20 Oct 19:04:31 - [audit] {"event":"flows.get","level":98,"user":{"username":"admin","permissions":"*"},"path":"/flows","ip":"192.168.68.200","timestamp":1666303471278}

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.