Is there any other way of locking down the dashboard per user other than paying for FlowFuse? I get that Dashboard 2.0 is a FlowFuse product, but there must be a way to do this other than buying yet another subscription.
I have tried the httpNodeAuth route but that had undesired side-effects I wasn't looking for. I honestly forget what they were (I'll try it again) but I know I reverted that setting for a reason.
What I'm trying to do is give certain users access to a specific page on the dashboard; not all pages. I also don't want to give users access to the flows at all.
I have read the Securing Node-RED page but honestly it's a little confusing for me. Can that be leveraged to do what I want?
So I have always advocated that people use proper security tools for securing services, especially web services. In this case, that means using a reverse proxy (e.g. NGINX, Caddy, HAProxy, etc) along with one of the authentication services (e.g. FusionAuth, Authentik, Authelia, etc.)
Alternatively, simply use Cloudflare Zero Trust which provides a single integrated set of cloud services to do both the proxy and the authentication without you needing to put holes in your own firewall.
Both D2 and UIBUILDER can use standard auth headers to help control access. Just note however that D2 is a single-page-app only so you might struggle depending on security levels required (not totally sure as I don't use it). With UIBUILDER, you can build anything and you can choose between single and multi-page apps (or indeed both) and you can easily insert middleware on both the HTTP and WS (actually Socket.IO) protocols on the Node-RED server side for best control.
Also worth remembering when using websockets (and Socket.IO) that ws does not support custom http headers. This means that, while you can control an initial hanshake, you cannot then continue to control further interactions without additional work. UIBUILDER allows middleware on each msg as well as the initial handshake to help with this.
On a related note, is there a way to lock/hide specific editor tabs (or specific subflows)?
The use-case is that we want to expose the editor to end-users, allowing them to create their own flows. We want to empower them with some generic tabs/subflows which they can call but cannot modify.
Is there a way to do this? Of course, I can develop & provide custom nodes, remote API interfaces or executables (called by exec nodes), but it would be nice to be able to leverage Node-red itself for building (and locking) these generic tabs/subflows.
This functionality is supported in FlowFuse. If you're using Node-RED in a business setting, then itd pribably easy to justify the FF cost in the time saving you'd get.
