Node-red token revokation

Hi,
I have Node-Red up and running. I secured the nodered using node red token
by gettiing token using
/auth/token
api path by passing the fetched access Token in the below way using react
/?access_token=your_access_token
which is working fine

but when I'm trying to revoke this token using
/auth/revoke
by passing token in header and even in body
It's not revoking the token I'm still able to work or use the same token further

Please help me where I'm going wrong?

Can you be more specific please? Which header? What format in the body? Please list out the examples you tried. If you could provide these examples as curl or flow that would be a bonus.

Ps, I assume you followed the info in the docs?

Lastly, please provide information about your installation ( node version. Node red version.
OS, relevant parts from your settings file etc )

Thank you replying,
Yes, I'm referring the docs and I'm using the latest node-red version

the node-red settings file auth content:

   adminAuth: {
    type: "credentials",
    users: [
      {
        username: "admin",
        password: "$Xx$xx$xXWtXTja0fB1pzD4sHCMyOCMYz2Z6dNbM6tl8sJogENOMcxxxxxxx.",
        permissions: "*",
      },
    ],},

I'm getting token from this api

curl http://localhost:1880/auth/token --data 'client_id=node-red-admin&grant_type=password&scope=*&username=admin&password=password'

I'm revoking the token received from the above api in this specific below mentioned way

curl --data 'token=A_SECRET_TOKEN' -H "Authorization: Bearer A_SECRET_TOKEN" http://localhost:1880/auth/revoke

So, I'm passing the token in place of the A_secret_token but when I'm trying to login back again using that token I'm able getting to the homescreen of nodered where it is expected that it should throw me back to the login screen

Ok, so firstly, lets clear a couple of things up.

Regarding the auth/revoke API, the data part where you provide the token is for the user to logout...
e.g. --data 'token=SECRET_TOKEN_OF_USER_TO_LOG_OUT'

Secondly, as the SECRET_TOKEN_OF_USER_TO_LOG_OUT may have a + character, you should use --data-urlencode otherwise they get converted to spaces (need to check if this has changed in node-red/node-js/express since docs were written)
e.g. --data-urlencode 'token=SECRET_TOKEN_OF_USER_TO_LOG_OUT'

Lastly, sending an auth/revoke request will not instruct the browser to redirect since the request goes to the server-side/node-red & the browser is in client-side/user-land. HOWEVER, if you are successful in revoking the token, operations within node-red will not be possible (e.g. clicking an inject will show Error: unexpected error (401) error refreshing the page would take the user to the login screen

PS: There may be multiple tokens from multiple browsers for the same user. Just because you revoke 1 "admin" account login, does not mean all browsers logged in as "admin" are suddenly revoked.

Full example...

curl --data 'token=SECRET_TOKEN_OF_USER_TO_LOG_OUT' -H "Authorization: Bearer A_LOGGED_IN_USER_SECRET_TOKEN" http://localhost:1880/auth/revoke

1 Like

I agree and I am checking this flow only.
So, what is happening in my case is suppose I received x token from auth/token I opened the nodered with that token by passing it in url in this way /?access_token=x
in a separate tab. Now, I'm revoking that x token using auth/revoke and in response I'm getting 200 i.e successfully revoked. But after revoking when I'm moving to the node-red tab which was opened with x token and no other node-red project is running still I'm able to do all the operations and even after refreshing the page is not taking the me to the login screen.
Is there any other api that I need to call to revoke that token or I'm doing anything wrong ?

Are you certain you used --data-urlencode as I explained?

It works for me on NR 3.0.2

auth_revoke

Now the token is getting revoked,
Thank you!

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.