NR Log In Minor Issue

I have a phenomenon that I do not understand but I hope I am not missing something obvious.

I have used @totallyinformation's alternate-node-red-installer and everything is working fine (I even managed to get the systemctl run on boot working) and I have edited the settings.js file as shown in Editor & Admin API security,

    /** To password protect the Node-RED editor and admin API, the following
     * property can be used. See http://nodered.org/docs/security.html for details.
     */
    adminAuth: {
        type: "credentials",
        users: [{
            username: "fred",
            password: "loadsofrandomcharacters",
            permissions: "*"
        }]
    },

and

    /** To password protect the node-defined HTTP endpoints (httpNodeRoot),
     * including node-red-dashboard, or the static content (httpStatic), the
     * following properties can be used.
     * The `pass` field is a bcrypt hash of the password.
     * See http://nodered.org/docs/security.html#generating-the-password-hash
     */
    httpNodeAuth: {user:"fred", pass:"loadsofdifferentrandomcharacters"},

both the same password generated by node -e "console.log(require('bcryptjs').hashSync(process.argv[1], 8));" apassword on separate occasions.

The phenomenon is that when I log into node-red in my browser the login box comes up and asks for the user and password but when entered it just keeps coming back again. I then cancel out and I can proceed to edit etc. The Dashboard also requests a login user and password and accepts what I type in.

The password hash in settings.js is exactly the same as generated by the hash script.

Hopefully someone will be able to clue me in to what is wrong. (I have tried the same settings.js file in two other instances of node-red, one created via the standard NR script and one created with alternate-node-red-installer, and they both work as they should. (i.e. using same hash and password)

I include the startup log in case it makes a difference.

PS I notice that the hash value is different every time the hash creator is run, how does this get translated into the password?

pi@HomeAutomation:~/nrdevelopment/data $ npm start

> node-red-userdir@2.0.3 start
> cd .. && node node_modules/node-red/red.js --userDir ./data

2 Nov 19:40:56 - [info]

Welcome to Node-RED
===================

2 Nov 19:40:56 - [info] Node-RED version: v3.0.2
2 Nov 19:40:56 - [info] Node.js  version: v16.18.0
2 Nov 19:40:56 - [info] Linux 5.15.74-v8+ arm64 LE
2 Nov 19:40:58 - [info] Loading palette nodes
2 Nov 19:41:01 - [info] Worldmap version 2.30.3
2 Nov 19:41:02 - [info] Dashboard version 3.2.0 started at /ui
2 Nov 19:41:02 - [info] Settings file  : /home/pi/nrdevelopment/data/settings.js
2 Nov 19:41:02 - [info] HTTP Static    : /home/pi/nrdevelopment/data/static > /
2 Nov 19:41:02 - [info] Context store  : 'memoryOnly' [module=memory]
2 Nov 19:41:02 - [info] Context store  : 'file' [module=localfilesystem]
2 Nov 19:41:02 - [info] User directory : /home/pi/nrdevelopment/data
2 Nov 19:41:02 - [warn] Projects disabled : editorTheme.projects.enabled=false
2 Nov 19:41:02 - [info] Flows file     : /home/pi/nrdevelopment/data/flows.json
2 Nov 19:41:02 - [info] Server now running at http://127.0.0.1:1880/
2 Nov 19:41:02 - [info] Starting flows
2 Nov 19:41:03 - [info] [ui_worldmap:a39466ee.0f6b88] started at /worldmap
2 Nov 19:41:03 - [info] Started flows
2 Nov 19:41:03 - [info] [sqlitedb:d5b5bfa2191ec013] opened /media/usbDrive/HomeAutomation.db ok
2 Nov 19:41:03 - [info] [mqtt-broker:MQTT] Connected to broker: mqtt://192.168.1.21:1883

Hi @Buckskin

we need to try to identify what network request is triggering the password prompt to appear.

Assuming you're using Chrome (although similar steps are possible with other browsers), open up the Developer Tools (View->Developer->Developer Tools) - and then open the 'network' tab.

Then reload the Node-RED editor - you should see all of the network requests being listed. Look for any that get highlighted in red or get a status of 401. If you do spot one, take a note of its 'path' value and share that here.

We use the bcrypt hashing algorithm. It produces a different hash every time by including a random salt as part of the phrase that gets hashed. This helps protect against lookup tables of commonly hashed words/phrases. The most important point is that once hashed, we cannot turn it back into the plain-text password. But it is possible to check whether a given password can hash to the same value - thereby checking if a user has provided the right password or not.

Thank you, that was it. I was getting;

GET http://192.168.1.20:1880/vendor/monaco/dist/theme/vs-theme.json 401 (Unauthorized)

Changed the entry theme: "vs-theme", to theme: "vs", and all is well. The settings.js files were obviously NOT the same as I had thought.

Also, thanks for the explanation on bcrypt.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.