Is it possible to open the node-red editor via an url by sending a flow id as a parameter in addition to the access token?

Introduction to the problem:

We use the node-red API to display the list of flows in our application.
In our application, I would like to open the node-red editor in an iframe when we click on a flow located in this list.
But I don't want the user to have to log in and I would like the editor to open on the tab of the selected flow.

So that the user does not have to log in, I found in the node-red documentation that we can send the access token via the url:
https://test-server.com/concoord/admin/?access_token=<ACCESS_TOKEN>

I then tried to add at the same time in the url:
/#flow/<FLOW_ID>
Or
?flow_id=<FLOW_ID>
before and after the access_token in the url but nothing seems to work and I couldn't find anything in the documentation.

Do you have any idea if it is possible to send the access_token and a flow_id in the url at the same time?

You can copy the URL to any flow or node using the info panel

Then as with any URL you can append query parameters

https://my-flows/#flow/629274ae73ff8efb?access_token=<ACCESS_TOKEN>

Does that not work?

Thanks for your response! But no unfortunately it doesn't work, it sends me to the login page.
I wondered if it wasn't possible to also send the flow id as a query parameter? But I couldn't find anything about it.

So are you saying

https://test-server.com/concoord/admin/?access_token=<ACCESS_TOKEN> opens the editor and logs in BUT https://test-server.com/concoord/admin/#flow/629274ae73ff8efb/?access_token=<ACCESS_TOKEN> does not?

If so, then you will have to raise an issue but I am surprised this is the case. Maybe give it another go? Pay attention to the slashes and other formatting of the URL as i have written above.

It lets you put the access token on the URL?

That would seem to be extremely insecure.

Potentially yes. It depends how the tokens are verified in the users configuration. If verified against a static value - absolutely - but correct implementations would validate the token and age when the callback is executed.

Hmm, but that is highly insecure if done over open networks. Even with HTTP, the URL is in the clear and can easily be intercepted. It will also be recorded in various logs and proxies.

Not disagreeing. It is a feature that has been around for about 9 years. The OP has chosen to use this :person_shrugging:

In a URL, the search component (#flow/123) has to come after the query component (?access_token=...)

However, I'm not sure Node-RED preserves the search component when it clears the query component, so it may not be possible to do what you want.

Another good reason not to expose the Admin endpoints direct over the Internet!

Thank you for all your answers!
But actually, I don't think it's possible to do what I want. To solve the problem, I therefore make a first invisible iframe which will take care of receiving the access token and then a second visible iframe which will open the flow selected in my list.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.