Logon authentication and token expiry

Initially I installed and used NR without any logon requirements. It worked OK.
Then I established an admin user and a hashed pwd in settings.js. It worked OK the first time I tried, I was asked to type in the username and the pwd and everything was fine.

But the next time (next day) I opened the NR web page, it did not ask for any login data. It just went striaght into the editor as if no adminAuth existed.
I first assumed this could be because Chrome remembered (cached?) these credential, so I went into Chrome setting and deleted it. But still NR logs in as if nothing has happened - not asking for credentials.
Then I added sessionExpiryTime=100 assuming that some kind of token was responsible for the authentication. But after restarting NR, logging in, then out, wait 10 minutes, loggin in again - it still does not ask for username/password.

What am I missing here?

You can find the answer in the last post of this thread:

Many thanks for your reply - which I will explore (hoping that this file doesn't have to be deleted more than once?)
Anyway, I also played around with the sessionExpiryTime as mentioned, and it appears to do what I expected as long as the browsers credential cache is cleared once. Thereafter, the browser shows the logon dialog if the token has expired, even if "remember password" was accept in an earlier session, in which case the browser just offers to fill in username/pwd for me.
Is this behvaiour as you too would expect, or have I overlooked something? In which case there seems to be no need to delete the ~/.node-red/.sessions.json file ? (whatever additional purposes this file may have).

The better approach is to use a proxy to access Node-RED and to do authentication, authorisation and access control there. This will give you access to more flexible and more mature capabilities.

The browser offering to auto-fill in your password is nothing to do with the node-red session - that's just Chrome trying to be helpful.

If you tell Chrome to 'forget' the credentials, it doesn't log you out - it just tells Chrome to forget the username/password you used previous so it can't try to auto-fill the login form for you. The actual session is maintained by a token in localStorage within the browser. That token is valid for sessionExpiryTime seconds.

In the other thread, the requirement was to log the user out when the browser window was closed. We don't have anyway to tie closing the window to invalidating the token - the only way to invalidate a token (without the user explicitly logging out) is to delete the .sessions.json file and restart Node-RED as that will remove all tokens.

I've seen you make this comment a couple times. If you have feedback on the authentication available via Node-RED, then please do share. Telling users to ignore what we provide and use something else doesn't really help us.

1 Like

It is a matter of focus - using a proxy to provide authentication and authorisation services for a microservice like Node-RED is a sensible option. Such features have been developed over a long time and often by teams with specific security experience.

Node-RED, on the other hand is a general purpose, low-code development platform. Is it reasonable that it is "best" at everything? I think not.

Do you have access to security specialists? Or time/money to get fully security testing done? No, and no reason why you should. This is not a criticism of Node-RED, the security features of Node-RED provide a perfectly serviceable feature set for basic use. However, it is not a comprehensive security solution.

So my comments are not meant to detract from what Node-RED does and does very well. They are meant to help take people with requirements that go beyond what Node-RED is currently good at find a sensible, secure and workable solution.

Security is a specialist area. It is very hard to get right and very easy to break. Personally, I would much rather that all who are involved with the development of Node-RED focus on the important things that should be core and leave things that require specialist knowledge and specialist testing to services that are better placed to do just that. Because of this, security also needs to be multi-layered so even if Node-RED provides some built-in security, that may not mean that other services are not also required.

This is by no means unique to Node-RED so I'll reiterate that this is not a criticism of Node-RED or its development priorities. I have the same recommendations for many other services both in my professional and non-professional work.

PS: for others reading this who don't know me, yes, part of my professional work is around IT security and governance.

I couldn't agree more! :clap:

Now to my next issue (having solved step #1 with your assistance; When I added logon capability using adminAuth, my flows stopped working :no_mouth:
I use the http request node to retrieve the NR settings, but now it only return "unauthorized", even though I have added the Basic Authentication setting and provided the NR username/pdw ;

image

Can you please help me with this?

Node-RED doesn't use basic authentication to secure the admin API.

You have to obtain an access token and use that in your requests. Details here: https://nodered.org/docs/api/admin/oauth

Thank you. That solved it :slight_smile

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.