Generally best not to ask the same question in two different threads because answers become split. Leave the question of the CMS to the other thread.
"Is a CMS built using Node-red even a good idea?" - General - Node-RED Forum (nodered.org)
It depends which part of Node-RED you refer to. The Editor is capable of using PassportJS which offers a lot of opportunities for different user authentication schemes. There are also a number of middleware hooks available. Dashboard is still somewhat limited in this area. uibuilder offers another alternative if you don't mind using code for your front-end and also has middleware hooks and a slowly developing security infrastructure of its own that also will fully secure the websockets interface.
But truth be told, user authentication and authorisation is still probably better done outside of Node-RED using a reverse proxy. This is a more proven path and so may offer greater security and almost certainly better performance.
