Node Red Authentication PW Hash issue

#1

I am trying to apply authentication to my Node-Red. I am able to get the setting.js edited so that it requests Username and PW. I am able to insert a different username, however...using the node-red-admin Hash-pw, I am not able to get the password encryption to work properly. If I copy and paste the encryption from the documentation section of Node-Red.org, it will accept "password", but if I copy and paste the generated hash for my chosen PW, it does not recognize it when I log in. I have tried multiple times and double checked my typing in the hash-pw. Thoughts?

0 Likes

#2

Please list

  1. the actual commands you used
  2. what platform is NR running on?
  3. what OS and release?
  4. what version of NR and node.js?
0 Likes

#3
  1. At the command prompt I used: node-red-admin hash-pw
  2. running on a windows pc
  3. windows 7 professional (6.1.7601)
  4. NR v0.18.7 .js v8.11.3

Thanks

0 Likes

#4

You might want to try upgrading NR since the current version is v0.19.4

0 Likes

#5

That is good advice, but entirely incidental to the question being asked.

@jfehl all I can say is double check you've copied the hash properly. There's not much else that can go wrong with this. You could also try the node command provided in the docs:

Alternative, you can run the following command from within the Node-RED install directory:
node -e "console.log(require('bcryptjs').hashSync(process.argv[1], 8));" your-password-here

0 Likes

#6

So I determined what must have been happening. I have my instances of Node-Red starting on System-Recovery in Task Scheduler. Although I would do a CNTR-C and then (y) to stop the flows, it must have not been stopping Node-Red entirely. I went into Task Scheduler and Stopped Node-Red from there, I then performed all the steps required to generate and copy the hash-pw and everything works fine now. So the error must have been me not completely stopping Node-Red.

All works now as described in the documentation.

Thanks for the help.

0 Likes

#7

Dears I'm new in the forum and I came across this post. Actually what described has happened to me too. What I tryed more is to run more times for the same password: with my surprise, every time hash -pw generates a different hash. There's no way to change this even if node-red is stopped.Cattura
Any suggestion?
When I try node -e "console.log(require('bcryptjs').hashSync(process.argv[1], 8));" your-password-here I got this
`module.js:549
throw err;
^

Error: Cannot find module 'bcryptjs'
at Function.Module._resolveFilename (module.js:547:15)
at Function.Module._load (module.js:474:25)
at Module.require (module.js:596:17)
at require (internal/module.js:11:18)
at [eval]:1:13
at ContextifyScript.Script.runInThisContext (vm.js:50:33)
at Object.runInThisContext (vm.js:139:38)
at Object. ([eval]-wrapper:6:22)
at Module._compile (module.js:652:30)
at evalScript (bootstrap_node.js:463:27)
`
Thanks in advance

0 Likes

Hashing password
#8

That is expected behaviour - the hashing algorithm we use can generate different hashes for the same input. Is that the only issue you are reporting? Or did you have another problem?

As for the node command you ran - what directory were you in when you ran it? Were you in the node-red install directory as the documentation for the command says you need to be?

0 Likes

#9

few info: I'm running node-red on several raspbian releases. Behaviour is always the same.

"That is expected behavior - the hashing algorithm we use can generate different hashes for the same input. Is that the only issue you are reporting? Or did you have another problem?"
would this mean "more possibilities" to discover my password"? ..as the hash let the system rebuild the password, if more hashes can be assigned to one password....
Anyway, that could not be a concrete problem. The problem is that if I use any one of the generated hashes I can not have access to node red. It seems the only one is working is the hash of the exemple for "password".
I ran the alternative command also in .node-red folder and also as root with same results

0 Likes

#10

node -e "console.log(require('bcryptjs').hashSync(process.argv[1], 8));" your-password-here

You have to run the above command from the node-red installation directory. If you run from the home directory ~/.node-red or from another directory it will not work.

See below how it works for me. Click in the image to zoom-in.

Also, be careful when selecting the settings.js you edit to include the password. It has to be the one existing in the user home directory ~/.node-red

0 Likes

#11

Dear All thank you for your replies and I'm sorry for my absence (I was abroad for 2 weeks).
Then, as soon as possible I will come through all the suggestions again to recheck the issue. For now,
I can only show that even if I use the command in the right folder it doesn't work

0 Likes

#12

To quote Andrei from the previous post...

0 Likes

#13

I think the docs could do with a bit of clarification on what is meant by the node-red install directory. For a standard installation on a pi or ubuntu I believe this is /usr/lib/node_modules/node-red.

[Edit] corrected path above

0 Likes

#14

mmmh

0 Likes

#15

On the Pi, the module will be under /usr/lib/node_modules

0 Likes

#16

same as root

0 Likes

#17

Is there a node-red directory under /usr/lib/node_modules ? If so, that is the directory you should be in

0 Likes

#18

Yes, sorry, should be /usr/lib/node-modules/node-red as @knolleary says. Fingers not doing what they are told. I have corrected the previous post.

0 Likes

#19

thank you.
Now it is able to generate hash under

pi@Raspberry:/usr/lib/node_modules/node-red

directory. I'll check if the hash works and let everybody know.

0 Likes

#20

Dears here I am with my results.
Thanks again to knolleary I've done some checks.

With the command

node -e "console.log(require('bcryptjs').hashSync(process.argv[1], 8));" your-password-here

executed in the folder

pi@Raspberry:/usr/lib/node_modules/node-red/

the generated hash works.

Anyway, I underline that the reference settings.js file I used is the one in

pi@Raspberry:/home/pi/.node-red/

folder. That in the previous folder seems not to have effect.

Even if some doubts are still in my mind (eg why the hash generated by "node-red-admin hash-pw" command doesn't work and why there are 2 settings.js), for now I have found a solution to make it work. Thanks in advance to those who will clarify the other doubts.

0 Likes