Tonight I noticed that an automatically locked dashboard still shows the last dashboard used behind the log in faceplate. When I log off, the log on faceplate is shown on an empty dashboard.
Is this a setting that I missed? I checked the config, but I am unable to find a setting what to display for auto lock. If it is default behavior, I would like to make a wish to change it for improving security. But not, before I am sure that is not a setting.
Okay, then something went wrong. First of all, I am glad that there is no such setting.
What I did was work on NodeRed on tab1. Then for a long time worked on other tabs reading and left the laptop unused for an hour.
I've looked in the logs of Node-RED, and there are no records of date datetime. Let's assume it is a one time thingy.
I had this problem just again.
My laptop went to powersave mode while the browser was still open and logged in to Node-RED.
When the system was up again. The browser (FF) showed the log in screen above the flows.
I use FireFox 78.3 Node-RED 1.13 on a Raspberry Pi with Raspberry Pi OS (Raspbian).
I checked the logs, but no errors from Node-RED. For me it personally not a problem, it seems to me a security risk. A logged off system should not display data.
Are you sure, or guessing. Even when it is done with the browser, shouldn't be a way that Node-RED disables this caching. This is the first webbased application I've seen that has this issue. Therefore I think that there should be a way to solve this.
This is nothing to do with caching. If the login session expires whilst the editor is open the login dialog appears.
The fact you can still see the flows in the background has never been highlighted as an issue.
If you were in the middle of working on the flows and the session expired, you wouldn't want it to discard all your work - you'd want a chance to login back in so you could save your work.
We could blur the background when the dialog is open to obscure the flows, but all that information would still be readily accessible using the browser developer tools.
One option would be to have a timeout on that dialog - if it isn't submitted within X minutes then reload the page to flush the flow data (and lose any undeployed changes). (But only do that if there is no default user, or that user doesn't have at least read permissions.)
Would need to think through what that would mean for those who embed nr. Also whether any of that behaviour should be customisable.
I think that an auto log off with loss of data is a good add-on regarding some security rules. For some areas it is mandatory that a server-program logs you off after some inactivity. SAP systems have this option as well. It will log you off with loss of data local to avoid not monitored client usage.