[Minor Update] alternate-node-red-uibuilder v4.1.1

Hi all, earlier today, I published a minor update to uibuilder.


  • Issue #151If the advanced option to "Show web view of source files" is selected, also show a link to the webpage.


  • Issue #149 If security is turned on, you can now run without Node-RED using TLS even in production. This is because you may wish to provide TLS via a reverse proxy.

    You still get a warning in the editor though.

  • Moved back-end libraries from nodes folder to nodes/libs to keep things tidier (especially if additional nodes added in the future)

  • Add simple debug function to web.js to allow the ExpressJS routing stack to be dumped to stdout


  • Issue #150 Switching between src and dist folders using the new advance option - now works without having to restart Node-RED. Existing routes are removed first then re-added.
  • Common folder is only served once (previously it was added to the ExpresJS router stack once for each node instance).

I've now started work again on the security features.

These updates are in an offline repo at the moment as I continue to work though the complexities. I will push up to GitHub at some point.


  • security improvements:

    • When security is active, pass flag to front-end. Use uibuilder.get('security') to get the current status. The flag is passed on the initial connection message from the server.

    • uibuilderfe.js

      • New security flag
      • Only run security related functions when security flag is active
      • Add some bootstrap_vue toast warnings to match the console output warnings (only does anything if you are using bootstrap-vue, otherwise does nothing)
    • security.js

      • Add security flag to initial control message to client
      • Prevent client from sending msgs if security is on but client not authorised
    • uiblib.js

      • Start to work on blocking msgs from node-red to client when security is on but client not authorised. WARNING: NOT WORKING YET messages will always get through.
      • sendControl() - make Socket.ID optional.
      • authCheck() - change from socket parameter to socketId to make it easier to call from more places. Also add more extensive _auth and _auth.id checks.
      • logon() - change warnings to remove note about not permitted in production as this is no longer the case (see change notes for v4.1.1)
    • templates/.config/security.js

      • Add 2 new functions jwtCreateCustom and jwtValidateCustom. In readiness for more flexible and secure JWT handling.
    • Tech docs - some minor improvements to the security process docs and bring into line with current process.


  • uiblib.js logon() - Fixed error that prevented logon from actually working due to misnamed JWT property.
1 Like