Rather than hardcode users into the settings file, it is also possible to plug in custom code to authenticate users. This makes it possible to integrate with existing authentication schemes.
The following example shows how an external module can be used to provide the custom authentication code.
Save the following in a file called <node-red>/user-authentication.js
I have created this file but I dont understand what I need to change or set up the actual "usernames" and passwords (Do I some how add them into this file)?
I have mutiple pi's(node-red) and thought it was away to have one file setup that can be copied to my multiple pi rather than copying the settings.js which might be different on the other pi
it also mentions about the hash method is a bit unsecure and is being phased out?!!
but now i have my new setup and working node-red can I set the security up as a seperate file that I can link into the settings.js on several different setups ,or am I just best to use this #hash password method that mentions has a vanarability?
is anyone able to advise on this or am I just misunderstanding again!!!!
(I take it these updates r being seen and there just hasnt been any up date on it 1 way or the other?)
So, to clarify, your goal is to have a consistent username/password for logging into Node-RED across multiple devices? But you don't want to copy the settings file as some devices will have customised settings file.
You can achieve that by:
Create a file called .node-red/user-authentication.js
You can change username to whatever you want the username to be. The password is a hashed version of the actual password you want to use. To generate the hash you can follow the instructions on this page under the 'Generating the password hash' section.
In each of your devices' settings files, set the adminAuth property to:
adminAuth: require("./user-authentication.js")
You can then copy the user-authentication.js file to all your devices.
I would suggest you consider how much of a saving this will make. If the goal is to have a consistent login on all your devices, then you could just set adminAuth normally on each of your devices and copy the password hash - I doubt you change the password very often, so having to manually copy the new hash to each device isn't much more than copy the user-auth...js file around.
// To password protect the node-defined HTTP endpoints (httpNodeRoot), or
// the static content (httpStatic), the following properties can be used.
// The pass field is a bcrypt hash of the password.
// See http://nodered.org/docs/security.html#generating-the-password-hash
You can follow the same approach for any property in the settings file.
If you follow the docs on generating the password hash - as it links to in the settings file - then you will be fine.
The comment you have read that has alarmed you is saying that httpNodeAuth also supports using the less secure md5 hashing algorithm for historical reasons. But if you do what the docs says then you won't be using md5 and you have nothing to worry about.