Implementing basic auth on http nodes breaks admin page

Hi, recently had a case where i implemented basic auth for my http nodes to serve a web page. When you visit the page browser asks for user pass and saves this user pass to be sent with every page visit.

Just after this, i wasnt able to log into admin portal which i was serving under /admin. I was using the typical adminauth. I enter user pass and it just looks like it would direct me to admin page but lands back on the login page again. Noticed this is caused by basic auth credentials being sent to admin page.When i removed the creds from browser all worked fine.

Thought this might be interesting for you to know. Maybe a bug?

Can you show us exactly what you changed in the settings.js file that broke things. Also version numbers for everything

I didnt change anything in settings. node-red version 1.3.5

What i did was to use basic authentication method as part of my http in flows (not through settings, but by implementing in a function node)

Browsers show user/pass popup when a site uses basic auth. and when you enter them, it will be sent along every request from that moment on.

Thats where the problem starts, because browser sends this basic auth header to admin routes as well, admin page gets confused i think so its not possible to login from that moment on.

In that case can you provide an example flow that shows the problem.

Since the admin auth login page uses form based authentication it should just ignore any basic auth header.

[
    {
        "id": "7025310b.bd649",
        "type": "http in",
        "z": "60bba61b.c39738",
        "name": "",
        "url": "/basic-auth-test",
        "method": "get",
        "upload": false,
        "swaggerDoc": "",
        "x": 310,
        "y": 200,
        "wires": [
            [
                "fd50f5fa.b7f118"
            ]
        ]
    },
    {
        "id": "e5bd0dd7.b90a08",
        "type": "http response",
        "z": "60bba61b.c39738",
        "name": "",
        "statusCode": "200",
        "headers": {},
        "x": 640,
        "y": 200,
        "wires": []
    },
    {
        "id": "fd50f5fa.b7f118",
        "type": "function",
        "z": "60bba61b.c39738",
        "name": "Check Basic Auth",
        "func": "let upc;\n\nlet userlist = [\n    \"this:that\"\n    ];\n    \ntry {\n    \n    if (msg.req.headers && msg.req.headers.authorization\n    ) {\n        let base = msg.req.headers.authorization.split(\" \")[1]\n        let buff = new Buffer(base, 'base64');\n        upc = buff.toString('ascii');\n    }\n    \n    \n    if (upc && userlist.includes(upc)\n        ) {\n            msg.username = upc.split(\":\")[0]\n            return [msg,null];\n    } else {\n        msg.headers = {\"WWW-Authenticate\": \"Basic\"}\n        msg.statusCode = 401\n        return [null,msg];\n    }\n\n} catch (err) {node.warn(err)}",
        "outputs": 2,
        "noerr": 0,
        "initialize": "",
        "finalize": "",
        "libs": [],
        "x": 470,
        "y": 360,
        "wires": [
            [
                "e5bd0dd7.b90a08"
            ],
            [
                "53d6b4f.bd5774c"
            ]
        ]
    },
    {
        "id": "53d6b4f.bd5774c",
        "type": "http response",
        "z": "60bba61b.c39738",
        "name": "",
        "statusCode": "401",
        "headers": {},
        "x": 520,
        "y": 420,
        "wires": []
    }
]

Add this, visit page, enter user "this" password "that", then visit admin page, see problem.

@hardillb did this flow help you replicate the issue?

No, running v1.3.7 and v2.1.3 both work fine with that flow and admin auth enabled.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.