I'm looking for guidance on implementing access control in Node-RED so users can only access specific flows. My idea involves using credentials type in the adminAuth to do custom authentication, then applying bearer tokens in httpAdminMiddleware to identify users, and mapping flow IDs to a user access table for filtering.
Following is the code I am using currently
const AuthStrategy = (opt) => {
return {
type: "credentials",
// Setup method for database connection
setup: function (settings: AuthSettings) {
console.log("setup called", settings);
return this;
},
// Users method to find user by username
users: function (
username: string
): Promise<{ username: string; permissions: string[] } | null> {
username = username.toLowerCase();
return new Promise((resolve, reject) => {
Users.findOne({ username }, { username: 1, permissions: 1 })
.then((user) => {
if (user) {
resolve({
username: user.username,
permissions: user.permissions,
});
} else {
resolve(null);
}
})
.catch((err) => {
reject(err);
});
});
},
// Authenticate method to verify JWT token
authenticate: function (
username: string,
pass: string,
): Promise<{ username: string; permissions: string[] } | null> {
return new Promise((resolve, reject) => {
Users.findOne({ username, password: pass }, { username: 1, permissions: 1 })
.then((user) => {
if (user) {
console.log('user is::', user);
resolve({
username: user.username,
permissions: user.permissions,
} as any);
} else {
resolve(null);
}
})
.catch((err) => {
reject(err);
});
});
},
// Default method to return null
default: function () {
return Promise.resolve(null);
},
};
};
However, I'm running into a challenge: by default the node-red system-generated access token is a random 128-byte Base64 token, and I need a way to create and manage custom JWT tokens for user extraction in the middleware instead of default one. Is there a way to achieve this without modifying the Node-RED core API? Would a custom JWT strategy be feasible for this purpose? Any advice or best practices would be greatly appreciated! (edited)
