OAuth works for the admin flow editor but maybe not the node dashboard httpNodeAuth?

Is there really only a single hardcoded user available to protect the dashboard?

https://nodered.org/docs/user-guide/runtime/securing-node-red

HTTP Node security

The routes exposed by the HTTP In nodes can be secured using basic authentication.

The httpNodeAuth property in your settings.js file can be used to define a single username and password that will be allowed to access the routes.

Out of the box - yes (But I could be wrong here - docs don't suggest otherwise).

if it really is only 1:

You can employ a self-catered solution, using your own custom middleware, to do the authentication I think in settings.js

function Authenticate(req, res, next) {

    const authHeader = req.headers['authorization'];
    if (!authHeader) {
        return res.status(401).send('Authorization header missing');
    }

    const [scheme, credentials] = authHeader.split(' ');
    const decodedCredentials = Buffer.from(credentials, 'base64').toString('utf-8');
    const [username, password] = decodedCredentials.split(':');

    if (someCustomCheck(username, password)) {
        return next(); 
    } else {
        return res.status(401).send('Unauthorized');
    }
}

module.exports = {
   ...
   httpNodeMiddleware:Authenticate,
}

That looks interesting but I found the root cause of my error. When talking about using external authenticators there are two distinct use cases....

  • Protecting the Node-Red flow editor using native adminAuth in the settings.js file (doesn't protect the dashboards). This does not use a reverse-proxy with middleware.
  • Protecting the Node-Red Dashboard 2.0 pages using the multi-tenant with auth pluig-in feature. This requires a reverse-proxy and middleware.

Oh! D2 - I don't use it.
(I have tagged dashboard-2) to highlight

1 Like

The other option you have here is to use FlowFuse if it's for professional/industrial use cases. Comes with multi-user security included in all your Node-RED instances and Dashboards.

1 Like

In my view, you will always be better off using an external proxy to handle authentications and user management. I would never recommend using Node-RED for that except for very simple, mostly home, use cases.

Yeah. I think I have it now. The two different ways of using Authentik (native via authAdmin and Traefik-Middleware) had me confused a bit when I started. Also the ability in node red to change the editor root path to something other than "/" makes this easier.

Now I can use the Traefik reverse proxy with path rewriting to get me where dashboard users hitting ( Path(/) || PathPrefix(/dashboard) || PathPrefix(/outpost) ) ('outpost' being the auth urls) get sent to the dashboard with user auth
and administrators wanting to edit the flows can use a newly defined editor path PathPrefix(/editor) can use an alternate auth scheme. This is currently using native authAdmin but I can switch it to Traefik pretty easily I think.

Using Dashboard 2 I even get access in NodeRed to the username who is authenticated which was the original real goal of this whole exercise. I wanted to log who did which button presses.

Thank you all for getting the noob up to speed!

3 Likes

And when using UIBUILDER as well :wink:

1 Like

Yep, thats exactly the use case for the Dashboard 2.0 user plugins, and there is one available for Authentik if you've not already found it.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.