Node-RED http-request node with basic auth seems to be broken in v2.1.4

Hello everybody,
it seems that that basic auth is not functional in node http-request.
I use http-request to control und get status from VLC via its Webinterface.
With update from Version 1.3 to 2.1.4 my flows stoped working and debug-node shows http status 401 not authorized.
So I tried the direct URL something like
http://:secret@localhost:8080/requests/status.json
and second the „Basic Authentication“ in config of the http-request node itself.
Both do not work anymore. VLC is some kind of special, because you have set a password in order to enable the Webinterface, but user name is left blank.

The Issue could be related to issue HTTP Request Node, Basic Authentication returns 401 error after NR2.1 upgrade · Issue #3235 · node-red/node-red · GitHub

Thank you in advance and kind regards.

For reconstruction start a VLC with Webinterface, on a Linux System with
cvlc -A alsa --no-dbus -I http --http-host localhost --http-port 8080 --http-password secret udp://@:1234

And use following example-flow

[
    {
        "id": "5964a30c8887d9c8",
        "type": "tab",
        "label": "Test",
        "disabled": false,
        "info": "",
        "env": []
    },
    {
        "id": "d3a4f6238526c582",
        "type": "inject",
        "z": "5964a30c8887d9c8",
        "name": "",
        "props": [
            {
                "p": "payload"
            },
            {
                "p": "topic",
                "vt": "str"
            }
        ],
        "repeat": "",
        "crontab": "",
        "once": false,
        "onceDelay": 0.1,
        "topic": "",
        "payload": "",
        "payloadType": "date",
        "x": 140,
        "y": 120,
        "wires": [
            [
                "8d5324ec5271d9e1"
            ]
        ]
    },
    {
        "id": "8d5324ec5271d9e1",
        "type": "http request",
        "z": "5964a30c8887d9c8",
        "name": "VLC Status",
        "method": "GET",
        "ret": "txt",
        "paytoqs": "ignore",
        "url": "http://localhost:8080/requests/status.json",
        "tls": "",
        "persist": false,
        "proxy": "",
        "authType": "basic",
        "senderr": false,
        "x": 400,
        "y": 120,
        "wires": [
            [
                "40a0d2db8a3b1448"
            ]
        ]
    },
    {
        "id": "40a0d2db8a3b1448",
        "type": "debug",
        "z": "5964a30c8887d9c8",
        "name": "",
        "active": true,
        "tosidebar": true,
        "console": false,
        "tostatus": false,
        "complete": "true",
        "targetType": "full",
        "statusVal": "",
        "statusType": "auto",
        "x": 590,
        "y": 120,
        "wires": []
    }
]

Environment
npm 8.1.2
Node-RED Version: v2.1.4
Node.js Version: v16.13.1
Host: RaspPi 3B bullseye

Just to be clear there is no username here, just a password?

And what happens if you set a username?

Hi,
yes a "user name" can not be specified for VLC instance, only a password
if you pass anything in the request eg 'noname' as user you always get a 401 from vlc.

OK, the node looks to accept just a password either as a configured auth variable or in the URL. So we need to check what exactly vlc is expecting because looking at the code it is doing what I would expect it to do.

I agree with you the NR code seems to be correct .
Is there something I can do? eg implement a function node which delivers more details. Or do the http request within a function node as work around

@hardillb thanks for your investigation. it took me a step deeper
I run tcpdump for port 8080 and got the base64 string dW5kZWZpbmVkOnNlY3JldA== for the request. It decodes to undefined:secret.
I would propose at some point "this.credentials.user" should be initialized. (and same for .password)

Can you capture one that works also ? Does the : exist on the password only one ?

captured from a browser request
base64 OnNlY3JldA==
plain :secret

I think the delimiter : is always a part of the auth string

So yes. We “just” need to ensure the user is “” (empty string) and not undefined

1 Like

Issue raised

Pull request to match

2 Likes

Thank you @hardillb and @hardillb for your fast and constructive support.
I'm quite impressed.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.