Http-request password - 401 error

#1

This is some pretty basic stuff that is challenging me as a new user of Node-Red.

I have a web switch I am trying to control that is password protected. I created the http-request to the page with basic authentication.

When I execute it, I get a 401, password required.

401 Unauthorized: Password required

As a test, I turned off 'use basic authentication' and coded the get like this:

http://username:password@192.168.1.10/status.xml

This still returns a 401 error.

As a test, on the same RPI that NodeRed is running, I issued the same command using curl

curl http://username:password@192.168.1.10/status.xml

The curl command works as expected and the password is accepted.

Any guidance will be appreciated on what might be blocking me?

Many thanks, Mike

#2

Do you use a backslash or any other uncommon character in your password ?

#3

No... in fact, for the test, the username and password are plain text. It is actually "a" and "a". :slight_smile:
Mike

#4

That is indeed weird. The http-request node (currently) uses the "request" NPM library under the cover, and when you look at their readme page you see that they even support credentials embedded in the URL like you do:

image

I thought we had a similar issue in the past, but cannot remember anymore what the outcome was. And most likely that was on an older version of Node-RED, where the http-request node was using the follow-redirects NPM library underneath ...

P.S. But to make sure, which version of Node-RED are you using?

Bart

#5

Thanks Bart for your time.

I am using v0.19.6 on a Pi. I see that 0.20 is out.

I guess I should look into upgrading.

Mike

#6

Hey Mike,
I would indeed upgrade, but now I'm not sure if your problems is going to be solved. If you have a look at the Node-RED changelog, you will see that the httprequest node uses the "request" library since 0.19.0:

HTTP Request: Move to request module

And there is another problem. I wrote some time ago the node-red-contrib-http-logger to see which http request is being send underneath. However that node doesn't work anymore with newer NodeJs versions. Have been working on it this week, but my new version isn't complete yet. But perhaps it works on your NodeJs version, and then you can see what is being send. Perhaps you can see something strange ...

#7

Some more data. I'm not bad at gathering Wireshare data. I'm bad at reading it. :slight_smile:

Here is a successful http-request from chrome:

GET /status.xml HTTP/1.1

Host: 192.168.110.12

Connection: keep-alive

Cache-Control: max-age=0

Authorization: Basic YTph

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36

DNT: 1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

HTTP/1.1 200 OK

Connection: close

Content-Type: text/xml

Cache-Control: no-cache

<response> 

blah blah blah and off we go with the xml data.

This is the failing request from NodeRed


GET /status.xml HTTP/1.1
host: 192.168.110.12
Connection: close

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Protected"
Connection: close

401 Unauthorized: Password required

#8

Mike,
I'm not a security expert, but in this older post there was a rather similar problem.

Could it be that your web switch also uses digest authentication instead of basic authentication? Both methods require a username and password. But the request library uses basic authentication, unless it is specified explicit that digest authentication is required.

If you update to the latest Node-RED version, then your http-request node will support Digest Authentication:

image

Would be nice if you could test whether that solves the problem!

#9

Hi Bart

I will give that a try after I upgrade to the latest version.

This works:

curl http://a:a@192.168.110.12/status.xml

Thanks for your help.

Mike