Implicit list of users in adminAuth

#1

I'm looking into securing my company's Node-RED setup to only allow access to users in a specific GitLab group. I found a passport strategy for gitlab-oauth, which should work well enough with the strategy-type adminAuth setting. However, as it looks to me, I would still have to enter every member of the group individually in the users array, since the done function is supposed to check against it.

Does the done function have to be called from the verify-function, though, or could I skip this additional check after verification on the OAuth response by simply creating a user struct and calling the resolve function with the verified user directly? Or is the resolve function not available/applicable in this scope because of the callbackURI requirements (which are handled as part of the done function, I would guess) and I would have to write a custom authentication script with direct usage of passport?

0 Likes

#2

All right, so I've tried a couple things myself so far, and think I have a bit of a better grip on the whole matter now. I manage to authenticate using a gitlab strategy, but I still need to have an entry in the users list. My settings so far:

adminAuth: {
          type:"strategy",
          strategy: {
              name:"gitlab",
              label: 'Sign-in via GitLab',
              icon:"fa-gitlab",
              strategy: require('passport-gitlab2').Strategy,
              options: {
                  clientID: GITLAB-CLIENT-ID,
                  clientSecret: TOP-SECRET-SECRET,
                  gitlabURL : "https://gitlab.com",
                  callbackURL: "http://localhost:1880/auth/strategy/callback",
                  verify: function(token, tokenSecret, profile, done) {
                      for (var i=0; i < profile.emails.length; ++i) {
                          if(profile.emails[i].value.search("@my-company\\.com") >= 0) {
                              return done(null, { username: profile.username });
                          }
                      };
                  }
              }
          },
          users: [{ username: "stgv", permissions: "*" }]
    },

Still, is there a way to do this log-on without having to hard-code all usernames with permission in the users array? Anything that can be passed to the done() function (or be used instead of it)?

0 Likes

#3

Hi @stgv

Node-RED only uses the users property of adminAuth in order to retrieve an already authenticated user's permissions.

If all of your users have the same permission, you can replace your users array with a function:

users: function(user) {
    return Promise.resolve({ username: user, permissions: "*" });
}
0 Likes

#4

Oh, nice! Didn't think of putting that function there directly - but it makes a lot of sense. Thanks a lot!

0 Likes