Hi, I'm starting an experiment / evaluation of FlowFuse and Node-RED in our organisation, initially with a local installation of Node-RED. We have some internal APIs that we need to call, and these are secured by JSON Web Tokens (JWTs), issued by a token issuing API.
Node-RED flows need to send a request, signed with a private key, to the token issuing service, and can then use the token in an HTTP header to call the other APIs. I have this working in vanilla Node RED, so far so good, though I needed to import a NodeJS module and write a function node. The issue is how to safely store and administer the private key, which may be specific to a FlowFuse Application. I'm currently storing this as a file in a specific folder on the server, and having the flow load it at runtime, but this only restricts the key to the account Node-RED is running under, rather than restricting it to specific flows..
Is there any feature in FlowFuse that would allow a secure and more scalable way of managing these keys? How would I handle this if we were deploying this on a FlowFuse cloud instance?
Many thanks for any suggestions!
Hi Steve.
You can use Environment Variables set in the FlowFuse instance settings.
You can then pick that up and use it in your Node-RED instance, e.g., in your current function call:
const KEY = env.get('MY_PRIVATE_KEY')
// do what you need with the hey
return msg
The ENV VAR will only be available to that one instance (not "gettable" from other node-red instances)
Does that help?
Hi, yes, that's helpful, thanks. Is the idea then that the FlowFuse Admin manages those environment variables (including the private keys) through the FlowFuse administration console? Sorry for the very basic questions - for internal process reasons I'm waiting for access to the infrastructure to do a proper FlowFuse installation and I can't use a cloud instance at this stage, so I may not yet have understood the product properly.
Hi Steve,
Currently Members and Owners are the only ones that are able to edit environment variables.
Viewers will be able to see the contents of an Environment Variable, but not be able to edit. There is a feature request to add some view restrictions. Feel free to comment or like if you would like to see this prioritized.
Role-base Access Control
Hi Steve-Mcl, as a late follow-up to this message, I now have a FlowFuse instance to evaluate, and I've run into an "interesting" problem with using environment variables in the way you suggest. The private keys I have to make visible in a NodeRED instance are in PEM format (i.e. multi-line base64 encoded data), and are quite large - a bit over 1.7k in size. The FlowFuse UI to set environment variables seems not to be able to cope with them. Pasting the contents of the file into the edit window seems to remove newlines from the data and truncate it, and importing a .env file containing the key name and value actually results in the key being split into more than one variable. Is there an alternative approach you can suggest, and should I report this as a FlowFuse bug?
Hi @stevemot
Please do raise an issue: Issues · FlowFuse/flowfuse · GitHub
I can see we use a text input for the env var form, which will be stripping newlines. I can't see any reason for us not to support newlines in those values.
Nick
Many thanks Nick, I have raised one: #3972.