Node-RED http-request node with basic auth seems to be broken in v2.1.4

LeifS · 5 January 2022 13:50

Hello everybody,
it seems that that basic auth is not functional in node http-request.
I use http-request to control und get status from VLC via its Webinterface.
With update from Version 1.3 to 2.1.4 my flows stoped working and debug-node shows http status 401 not authorized.
So I tried the direct URL something like
http://:secret@localhost:8080/requests/status.json
and second the „Basic Authentication“ in config of the http-request node itself.
Both do not work anymore. VLC is some kind of special, because you have set a password in order to enable the Webinterface, but user name is left blank.

The Issue could be related to issue HTTP Request Node, Basic Authentication returns 401 error after NR2.1 upgrade · Issue #3235 · node-red/node-red · GitHub

Thank you in advance and kind regards.

For reconstruction start a VLC with Webinterface, on a Linux System with
cvlc -A alsa --no-dbus -I http --http-host localhost --http-port 8080 --http-password secret udp://@:1234

And use following example-flow

[
    {
        "id": "5964a30c8887d9c8",
        "type": "tab",
        "label": "Test",
        "disabled": false,
        "info": "",
        "env": []
    },
    {
        "id": "d3a4f6238526c582",
        "type": "inject",
        "z": "5964a30c8887d9c8",
        "name": "",
        "props": [
            {
                "p": "payload"
            },
            {
                "p": "topic",
                "vt": "str"
            }
        ],
        "repeat": "",
        "crontab": "",
        "once": false,
        "onceDelay": 0.1,
        "topic": "",
        "payload": "",
        "payloadType": "date",
        "x": 140,
        "y": 120,
        "wires": [
            [
                "8d5324ec5271d9e1"
            ]
        ]
    },
    {
        "id": "8d5324ec5271d9e1",
        "type": "http request",
        "z": "5964a30c8887d9c8",
        "name": "VLC Status",
        "method": "GET",
        "ret": "txt",
        "paytoqs": "ignore",
        "url": "http://localhost:8080/requests/status.json",
        "tls": "",
        "persist": false,
        "proxy": "",
        "authType": "basic",
        "senderr": false,
        "x": 400,
        "y": 120,
        "wires": [
            [
                "40a0d2db8a3b1448"
            ]
        ]
    },
    {
        "id": "40a0d2db8a3b1448",
        "type": "debug",
        "z": "5964a30c8887d9c8",
        "name": "",
        "active": true,
        "tosidebar": true,
        "console": false,
        "tostatus": false,
        "complete": "true",
        "targetType": "full",
        "statusVal": "",
        "statusType": "auto",
        "x": 590,
        "y": 120,
        "wires": []
    }
]

Environment
npm 8.1.2
Node-RED Version: v2.1.4
Node.js Version: v16.13.1
Host: RaspPi 3B bullseye

hardillb · 5 January 2022 14:00

Just to be clear there is no username here, just a password?

And what happens if you set a username?

LeifS · 5 January 2022 14:46

Hi,
yes a "user name" can not be specified for VLC instance, only a password
if you pass anything in the request eg 'noname' as user you always get a 401 from vlc.

hardillb · 5 January 2022 15:12

OK, the node looks to accept just a password either as a configured auth variable or in the URL. So we need to check what exactly vlc is expecting because looking at the code it is doing what I would expect it to do.

github.com

node-red/node-red/blob/aaa2b4c3db0f8bba9e2de909de8e1c97f15cdab4/packages/node_modules/@node-red/nodes/core/network/21-httprequest.js#L300-L307

    
      
          if (this.authType === "basic") {
              // Workaround for https://github.com/sindresorhus/got/issues/1169 (fixed in got v12)
              // var cred = ""
              if (this.credentials.user || this.credentials.password) {
                  // cred = `${this.credentials.user}:${this.credentials.password}`;
                  opts.headers.Authorization = "Basic " + Buffer.from(`${this.credentials.user}:${this.credentials.password}`).toString("base64");
              }
              // build own basic auth header

LeifS · 5 January 2022 17:52

I agree with you the NR code seems to be correct .
Is there something I can do? eg implement a function node which delivers more details. Or do the http request within a function node as work around

LeifS · 5 January 2022 18:16

@hardillb thanks for your investigation. it took me a step deeper
I run tcpdump for port 8080 and got the base64 string dW5kZWZpbmVkOnNlY3JldA== for the request. It decodes to undefined:secret.
I would propose at some point "this.credentials.user" should be initialized. (and same for .password)

dceejay · 5 January 2022 19:13

Can you capture one that works also ? Does the : exist on the password only one ?

LeifS · 5 January 2022 19:20

captured from a browser request
base64 OnNlY3JldA==
plain :secret

I think the delimiter : is always a part of the auth string

dceejay · 5 January 2022 19:21

So yes. We “just” need to ensure the user is “” (empty string) and not undefined

hardillb · 5 January 2022 21:00

Issue raised

github.com/node-red/node-red

HTTP-request node fails to authenticate when username or password is empty

opened 08:54PM - 05 Jan 22 UTC

hardillb

needs-triage

### Current Behavior Basic Auth should base64 encode `username:password` but if… either is empty then `undefined:password` or `username:undefined` ends up getting encoded. ### Expected Behavior It should encode an empty string e.g. `:password` or `username:` ### Steps To Reproduce - Tick the use Authentication checkbox - Select basic auth - Leave either the username or password blank Also fails is `username:password@` is prepended to the hostname in the URL ### Example flow ``` [{"id":"f80df7c4fb6a5584","type":"inject","z":"706f8b78.caf304","name":"","props":[{"p":"payload"},{"p":"topic","vt":"str"}],"repeat":"","crontab":"","once":false,"onceDelay":0.1,"topic":"","payload":"","payloadType":"date","x":300,"y":500,"wires":[["56c4fdb246ef2d5e"]]},{"id":"56c4fdb246ef2d5e","type":"http request","z":"706f8b78.caf304","name":"sep creds","method":"GET","ret":"txt","paytoqs":"ignore","url":"http://localhost:1880/auth","tls":"","persist":false,"proxy":"","authType":"basic","senderr":false,"x":440,"y":500,"wires":[["9b07e810c11fc9e8"]]},{"id":"9b07e810c11fc9e8","type":"debug","z":"706f8b78.caf304","name":"","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"false","statusVal":"","statusType":"auto","x":650,"y":420,"wires":[]},{"id":"4047bb86ad0fb45f","type":"http in","z":"706f8b78.caf304","name":"","url":"/auth","method":"get","upload":false,"swaggerDoc":"","x":240,"y":600,"wires":[["408e1f651236e5c5","70dee9f832296095"]]},{"id":"408e1f651236e5c5","type":"http response","z":"706f8b78.caf304","name":"","statusCode":"","headers":{},"x":440,"y":560,"wires":[]},{"id":"4adc6a1176b21712","type":"debug","z":"706f8b78.caf304","name":"","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"true","targetType":"full","statusVal":"","statusType":"auto","x":800,"y":640,"wires":[]},{"id":"d2a860adbda159bb","type":"inject","z":"706f8b78.caf304","name":"","props":[{"p":"payload"},{"p":"topic","vt":"str"}],"repeat":"","crontab":"","once":false,"onceDelay":0.1,"topic":"","payload":"","payloadType":"date","x":300,"y":440,"wires":[["3d9dc828cc280ee6"]]},{"id":"3d9dc828cc280ee6","type":"http request","z":"706f8b78.caf304","name":"inline creds","method":"GET","ret":"txt","paytoqs":"ignore","url":"http://:foo@localhost:1880/auth","tls":"","persist":false,"proxy":"","authType":"basic","senderr":false,"x":450,"y":440,"wires":[["9b07e810c11fc9e8"]]},{"id":"40df7def57faddde","type":"base64","z":"706f8b78.caf304","name":"","action":"","property":"payload","x":650,"y":640,"wires":[["4adc6a1176b21712"]]},{"id":"70dee9f832296095","type":"change","z":"706f8b78.caf304","name":"","rules":[{"t":"move","p":"req.rawHeaders[3]","pt":"msg","to":"payload","tot":"msg"},{"t":"set","p":"payload","pt":"msg","to":"$split(payload, \" \")[1]","tot":"jsonata"}],"action":"","property":"","from":"","to":"","reg":false,"x":440,"y":620,"wires":[["40df7def57faddde","7e3e5061c605dc56"]]},{"id":"7e3e5061c605dc56","type":"debug","z":"706f8b78.caf304","name":"","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"false","statusVal":"","statusType":"auto","x":660,"y":580,"wires":[]},{"id":"b5fe1ffc04185c98","type":"inject","z":"706f8b78.caf304","name":"","props":[{"p":"payload"},{"p":"topic","vt":"str"}],"repeat":"","crontab":"","once":false,"onceDelay":0.1,"topic":"","payload":"","payloadType":"date","x":300,"y":380,"wires":[["54c7baa412cff821"]]},{"id":"54c7baa412cff821","type":"http request","z":"706f8b78.caf304","name":"sep creds","method":"GET","ret":"txt","paytoqs":"ignore","url":"http://localhost:1880/auth","tls":"","persist":false,"proxy":"","authType":"basic","senderr":false,"x":440,"y":380,"wires":[["9b07e810c11fc9e8"]]},{"id":"5d091b403c2d9410","type":"inject","z":"706f8b78.caf304","name":"","props":[{"p":"payload"},{"p":"topic","vt":"str"}],"repeat":"","crontab":"","once":false,"onceDelay":0.1,"topic":"","payload":"","payloadType":"date","x":300,"y":320,"wires":[["67f4d4f2cdfb2e71"]]},{"id":"67f4d4f2cdfb2e71","type":"http request","z":"706f8b78.caf304","name":"inline creds","method":"GET","ret":"txt","paytoqs":"ignore","url":"http://bar:@localhost:1880/auth","tls":"","persist":false,"proxy":"","authType":"","senderr":false,"x":450,"y":320,"wires":[["9b07e810c11fc9e8"]]}] ``` ### Environment - Node-RED version: v2.1.4 - Node.js version: v16.13.1 - npm version: 8.1.2 - Platform/OS: Linux - Browser: Firefox

Pull request to match

github.com/node-red/node-red

Fix basic auth with empty username or password

node-red:master ← hardillb:http-basic-username-only

opened 09:00PM - 05 Jan 22 UTC

hardillb

+2 -0

fixes #3324  - [x] Bugfix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality)  ## Proposed changes Add check for `undefined` values and replace with empty string ## Checklist - [x] I have read the [contribution guidelines](https://github.com/node-red/node-red/blob/master/CONTRIBUTING.md) - [ ] For non-bugfix PRs, I have discussed this change on the forum/slack team. - [x] I have run `grunt` to verify the unit tests pass - [ ] I have added suitable unit tests to cover the new/changed functionality

LeifS · 6 January 2022 06:19

Thank you @hardillb and @hardillb for your fast and constructive support.
I'm quite impressed.

system · 20 January 2022 06:19

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Http-request password - 401 error General	9	5436	10 January 2020
New node for HTTP Basic Auth Share Your Nodes	1	202	13 October 2023
HTTP request Unauthorized when Authentication is required General	2	672	31 July 2020
Http request node issue General http-request	1	208	26 August 2022
Http request with dynamic credentials General http-request	6	653	18 October 2022

Node-RED http-request node with basic auth seems to be broken in v2.1.4

Related Topics