Thanks, but first I'd be interested to know what I asked in my last post, as that could be the issue.
None of that is in the json since there were no projects involved. Try taking it out.
That's what I thought. The .config.json keeps different settings per project. And the key "activeProject": "Master_flow" determines the project that is launched at start-up.
So to migrate from a projects to non-projects workspace, we need to piece all this data together into the right place.
Still the same with that section taken out unfortunately.
It seems strange that the "mysecret" in .config.json, isn't a hash, it's a single word password
"credentialSecret": "mysecret"
Strange, but it should not matter. As soon as it is set to any string, it will be used as encryption key.
Just to let you know. i reproduced this
pi with projects -> macOS no projects
13 Nov 07:04:33 - [warn] Error loading credentials: SyntaxError: Unexpected token e in JSON at position 0
13 Nov 07:04:33 - [warn] Error loading flows: Error: Failed to decrypt credentials
What steps did you take exactly? What files did you copy? Did you copy and properties from one file to another?
Let me try to explain all the different bits.
Without Projects
- if
credentialSecretis not set in yoursettings.jsfile, then NR will generate a key and store it in.config.jsonat the top level of the object under the name_credentialSecret. This is a long randomly generated string. - if
credentialSecretis set in yoursettings.jsfile, then NR will use that instead. - if it finds
_credentialSecretin.config.jsonandcredentialSecretinsettings.jsthen we assume this is the first time you've run since settingcredentialSecretand the runtime will re-encrypt the credential file usingcredentialSecretand then delete_credentialSecretas it is no longer needed. (Technically it does this migration the first time you hit Deploy after starting it up in this state).
With Projects
- if projects are enabled then it ignores
credentialSecretin your settings file and_credentialSecretin.config.json. - Instead it uses the project-specific credential secret that is also stored in the
.config.jsonfile under theprojects.[name-of-project].credentialSecretproperty.
Migrating from Projects on Device A to Not-Projects on Device B
To do this you need to:
- copy the flow and credential files from the projects subdirectory on Device A onto Device B
- copy the value of
projects.[name-of-project].credentialSecretfrom.config.jsonon Device A tocredentialSecretin thesettings.jsfile on Device B
I know this works cause I've just run a workshop with a room full of developers who were doing pretty much exactly this (albeit Device B is actually an instance running in a Cloud environment).
5 Likes
The value of .credentialSecret from.config.json on Device A is a plain text password, whilst the credentialSecret in the settings.js file is curently a hash. Is that expected?
It may look like a hash but it isn't - it's just a string of characters.
And yes, .config.json contains the project's credentialSecret value in plain text because:
- that is not a file you put in version control
- if we did encrypt it somehow, where would we store the key to decrypt it? We'd have to encrypt that key. But where would we store the key to decrypt that key? And so on.
Well the good news is that it works!!
All my credentials are now accessible.
Thanks everyone.
2 Likes
In my case credentials contains of plaintext characters and were absolutely identical in both cases, but decryption had not worked until I removed manually _credentialSecret from .config on the site where projects were disabled.
@knolleary I would like to draw your attention to the fact that the _credentialSecret is not automatically deleted without hit "Deploy" button even if the credentialSecret present in settings.js. Please consider, that sometimes users can't hit "Deploy" button manually to change .config.json because they have only "read" rigths. Sometimes prepared flows.json files just copied to production environment where disableEditor:true setting is activated; On my opinion the behaviour like this is a bug. You shouldn't wait when "Deploy" button will be hit. I believe that _credentialSecret from .config.json have to removed immediately when credentialSecret will appear in settings.js
I've checked Node-RED 1.0.4 and latest from the official docker containers. I think you can simply reproduce this bug - the behaviour is exactly the same as the scenario you had described in your Nov 19th post. Please think to change algorithm and exclude "Deploy" hit from the scenario.
@eitijupaenoithoowohd we can only remove _credentialSecret from .config.json when we know that the credentials file has been re-encrypted according to the credentialSecret value from the settings file. That means rewriting the credentials file, and we only do that when the user hits the Deploy button.
If you are copying flows files onto a system then you need to make sure its settings.js file have the right credentialSecret in it before you run the flows.
If you have previously run Node-RED on that system without a credentialSecret in its settings file, then it will have generated _credentialSecret in the .config.json file and you'll need to either remove the value yourself from the file, or delete the .config.json file.
@knolleary Thank you for your detailed answer.
I have understood that simple solution is not exists and impossible to do re-encryption without "Deploy" hit. And this is the basic problem.
I want to explain. In my case the copied flows files got from a site where projects was enabled and credentialSecret being in .config.json but not in settings.js
I would like to leave my post in this topic to someone, who will have the same problem like me. I hope my experience will be useful.
