Login and Registration UIBuilder

Hi.. I use uibuilder for ui. How do I add login and registration to ui?

You need to build something for yourself at the moment I'm afraid.

uibuilder provides a middleware capability for both the ExpressJS web server and for the websocket connection.

You can use those to check for the presence of a security token/cookie and if not present or not valid, redirect the client browser to a separate login page.

The login page can also be a uibuilder page so take the info from the user and submit it as a form (and check it in the Express middleware) or send it with uibuilder.send() (and check it using a Node-RED flow). The result of the check should either deliver a JWT token or a secure cookie that you than then check on future calls.

Note that since uibuilder generally uses websockets (socket.io) to communicate, you need to take care that you include security data from the client back to the server in any messages you send - then you need to have a flow that checks to see if the users credentials & session are still valid.

I know this all seems a bit complex and I've not had a chance to sit down and create a security example as yet unfortunately.

Hi, is there any new development on user authentication for UIbuilder? Tried using isloggedin node (node-red-contrib-users) that offers JWT authentication with UIbuilder but it does not seem to work and goes into a loop. I guess it will require some websocket programming.

Thinking of going to back to using isloggedin node with normal template node (using bootswatch).

I'm afraid not. The built-in security is still a work in progress. However, uibuilder WILL create a simple JWT for you and attach it to the msg._auth object which I've used as the standard for exchanging authentication and authorisation information via websockets. You have to do things that way because websockets do not permit custom http headers once the connection has "upgraded" after the initial handshake.

I explained this in a recent post on the subject in the forum here.

In theory, you may be able to fool uibuilder into using the information from node-red-contrib-users but you would need to reformat the data into the msg._auth structure - this is well defined in the tech docs. And you need to make sure that you pass at least the minimum required info in both directions in EVERY message. I think that minimum would be the id and the jwt but you would need to check.

If you manage to get that to work, please let me know as it might be useful to other people.

I have offered a couple of people now to create a new security branch of uibuilder so that we can start to work through any remaining issues. Having got v4 out the door (and v4.1 :slight_smile: ), this would be a good time to resume work on it.

Thanks for your reply. This provides clarity on the subject.

Can you pls share the link to your forum post explaining this further? I think it's missing from the above reply.

It was just a quick search away.

Uibuilder sqlite security.js - General - Node-RED Forum (nodered.org)

BTW, if uibuilder security isn't ready for you, you should look at look at using an external proxy such as Caddy or NGINX. These have mature authentication and authorisation features and plugins.