The primary reason for this is my damn 1password extension, which I assume sees that my node-red instance is one big very complicated login page, since the base URL (excluding the hash) never changes. 1Password X (beta) is really the issue. The old extension had the ability to exclude sites. And I guess I could forget the admin password in 1Password, but I like to have it available on all my devices since I like long super complicated passwords, which is just what everyone should be doing.
So this seems minor and fixable on my (the user's) side, but I've read that separating web apps from the login page is best practice from a security standpoint. Also, what if the node-red password is accidentally form filled where it could be leaked out of the app through a flow?
This doesn't seem that complicated of a feature to add, but it should be optional since it could break a lot of stuff. I can try to submit a PR if anyone is interested.
Well, we need @knolleary to weigh in on this so be patient but I do understand what you are saying.
I actually don't think it needs to be a separate page but simply a different URI. Even adding a query parameter might be enough for 1password to detect it? If not, it may still be possible to change the "page" name while the login prompt is showing.
Node-RED is a single-page application. Moving the login page to a separate page would potentially break a lot of the cases where it is embedded in another application, so isn't something we'd consider lightly.
I think a bit more research on how this is handled with other SPAs and password managers is needed - I suspect @TotallyInformation may be on the right track around finding the appropriate url modification when the login page is showing.
Yes, but is it necessary to deliver that application to unauthenticated users? I'm not suggesting that it's necessary to rearchitect the app, but there's always something (data, apis, UI fragments, etc.) you're holding back on the server, from everyone really, so to contend that a single-page application necessitates having the login page delivered with the rest of the application doesn't hold a lot of water. Just food for thought.
I was thinking that this could be a configuration option for users with this issue. The server could serve the same application at an alternate URL There would just need to be two redirects added.
Pushstate is another solution. Then the server would have to serve the app at many different urls, or at least for each location that the frontend is putting into history.
