How to use the node-red customer form

Custom user authentication

Rather than hardcode users into the settings file, it is also possible to plug in custom code to authenticate users. This makes it possible to integrate with existing authentication schemes.

The following example shows how an external module can be used to provide the custom authentication code.

  • Save the following in a file called <node-red>/user-authentication.js

I have created this file but I dont understand what I need to change or set up the actual "usernames" and passwords (Do I some how add them into this file)?

Hi @gbond

what exactly do you want to do? Why do you want to go down the route of creating a custom user-authentication plugin for your Node-RED instance?

Being able to plugin a custom auth system is usually to integrate with existing authentication mechanisms.

I want to understand why you want to do this so I can help point you in the right direction.

I have mutiple pi's(node-red) and thought it was away to have one file setup that can be copied to my multiple pi rather than copying the settings.js which might be different on the other pi

it also mentions about the hash method is a bit unsecure and is being phased out?!!

ok sorry to get back to this

but now i have my new setup and working node-red can I set the security up as a seperate file that I can link into the settings.js on several different setups ,or am I just best to use this #hash password method that mentions has a vanarability?

is anyone able to advise on this or am I just misunderstanding again!!!!
(I take it these updates r being seen and there just hasnt been any up date on it 1 way or the other?)

So, to clarify, your goal is to have a consistent username/password for logging into Node-RED across multiple devices? But you don't want to copy the settings file as some devices will have customised settings file.

You can achieve that by:

  1. Create a file called .node-red/user-authentication.js
  2. In that file paste the following:
module.exports = {
    type: "credentials",
    users: [
            username: "admin",
            password: "$2a$08$zZWtXTja0fB1pzD4sHCMyOCMYz2Z6dNbM6tl8sJogENOMcxWV9DN.",
            permissions: "*"

You can change username to whatever you want the username to be. The password is a hashed version of the actual password you want to use. To generate the hash you can follow the instructions on this page under the 'Generating the password hash' section.

  1. In each of your devices' settings files, set the adminAuth property to:
adminAuth: require("./user-authentication.js")

You can then copy the user-authentication.js file to all your devices.

I would suggest you consider how much of a saving this will make. If the goal is to have a consistent login on all your devices, then you could just set adminAuth normally on each of your devices and copy the password hash - I doubt you change the password very often, so having to manually copy the new hash to each device isn't much more than copy the user-auth...js file around.

adminAuth: {
type: "credentials",
users: [{
username: "admin",
password: "*****************",
permissions: "*"}]

// To password protect the node-defined HTTP endpoints (httpNodeRoot), or
// the static content (httpStatic), the following properties can be used.
// The pass field is a bcrypt hash of the password.
// See

httpNodeAuth: {user:"user",pass:"*"},
//httpStaticAuth: {user:"user",pass:"

// The following property can be used to enable HTTPS#
// See http:

can it do the httpNodeAuth and is it more secure as it rean as the #hash thing could be compermised
or am I miss understanding again?

You can follow the same approach for any property in the settings file.

If you follow the docs on generating the password hash - as it links to in the settings file - then you will be fine.

The comment you have read that has alarmed you is saying that httpNodeAuth also supports using the less secure md5 hashing algorithm for historical reasons. But if you do what the docs says then you won't be using md5 and you have nothing to worry about.

ok just to be clear
ether the saperate file or the setting.js file is safe to do?

I'm not sure what you mean by 'safe' - depends what you are trying to protect yourself from.

Personally I'd keep it simple and keep it in your settings file.

great I will leave it as it is thank you for clarifing

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.