How to Secure API Endpoints with RED.auth.needsPermission('flows.write') in HomeAssistant Node-RED?

Hello everyone,

I'm currently working on a Node-RED custom node that involves interacting with Google Calendar's API. In standalone Node-RED installations, I use RED.auth.needsPermission('flows.write') to secure the API endpoint that handles OAuth authentication callbacks. This works perfectly to ensure that only authenticated users can access sensitive flows or modify settings.

However, when Node-RED is installed through HomeAssistant, this security mechanism doesn't seem to work as expected. Users are repeatedly asked to enter their HomeAssistant login credentials during the OAuth process, which is not ideal for user experience.

My questions are:

  1. Is there a way to properly use RED.auth.needsPermission('flows.write') in a HomeAssistant-managed Node-RED environment without causing repeated authentication prompts?**
  2. Does HomeAssistant already provide sufficient security mechanisms for these endpoints, making RED.auth.needsPermission() redundant in this context?**
  3. If so, should I be detecting the mode of Node-RED installation (standalone vs. HomeAssistant) within my node and apply security checks accordingly? If possible, how can this be done?**

Any guidance or alternative approaches would be highly appreciated!

Thank you!

Hi @fdecourt

I think you will need to approach the HA community for this one.

Most here do not use HA, and we don’t know how Butchered their version of Node RED is.

@knolleary may have some insights into the authentication API - but it sounds to me this is a problem with HA.

RE: point 2/3…
IMO I wouldn’t code for HA specifics - given this is for Node RED and not HA.

Thanks @marcus-j-davies , I agree, I don't want to code it specifically for HomeAssistant... but I want to try to find something as universal as possible. I will keep the version as it is today, knowing that from HomeAssistant, user will have to enter its HA credential (this is not a big issue !!!) I will ask on the HA forum (and I updated the README on github to inform about the impact on HomeAssistant ;-))

1 Like