Is there really only a single hardcoded user available to protect the dashboard?
https://nodered.org/docs/user-guide/runtime/securing-node-red
The routes exposed by the HTTP In nodes can be secured using basic authentication.
The httpNodeAuth property in your settings.js file can be used to define a single username and password that will be allowed to access the routes.
Out of the box - yes (But I could be wrong here - docs don't suggest otherwise).
if it really is only 1:
You can employ a self-catered solution, using your own custom middleware, to do the authentication I think in settings.js
function Authenticate(req, res, next) {
const authHeader = req.headers['authorization'];
if (!authHeader) {
return res.status(401).send('Authorization header missing');
}
const [scheme, credentials] = authHeader.split(' ');
const decodedCredentials = Buffer.from(credentials, 'base64').toString('utf-8');
const [username, password] = decodedCredentials.split(':');
if (someCustomCheck(username, password)) {
return next();
} else {
return res.status(401).send('Unauthorized');
}
}
module.exports = {
...
httpNodeMiddleware:Authenticate,
}
That looks interesting but I found the root cause of my error. When talking about using external authenticators there are two distinct use cases....
Oh! D2 - I don't use it.
(I have tagged dashboard-2) to highlight
The other option you have here is to use FlowFuse if it's for professional/industrial use cases. Comes with multi-user security included in all your Node-RED instances and Dashboards.
In my view, you will always be better off using an external proxy to handle authentications and user management. I would never recommend using Node-RED for that except for very simple, mostly home, use cases.
Yeah. I think I have it now. The two different ways of using Authentik (native via authAdmin and Traefik-Middleware) had me confused a bit when I started. Also the ability in node red to change the editor root path to something other than "/" makes this easier.
Now I can use the Traefik reverse proxy with path rewriting to get me where dashboard users hitting ( Path(/) || PathPrefix(/dashboard) || PathPrefix(/outpost) ) ('outpost' being the auth urls) get sent to the dashboard with user auth
and administrators wanting to edit the flows can use a newly defined editor path PathPrefix(/editor) can use an alternate auth scheme. This is currently using native authAdmin but I can switch it to Traefik pretty easily I think.
Using Dashboard 2 I even get access in NodeRed to the username who is authenticated which was the original real goal of this whole exercise. I wanted to log who did which button presses.
Thank you all for getting the noob up to speed!
And when using UIBUILDER as well 
Yep, thats exactly the use case for the Dashboard 2.0 user plugins, and there is one available for Authentik if you've not already found it.
Copyright OpenJS Foundation and Node-RED contributors. All rights reserved. The OpenJS Foundation has registered trademarks and uses trademarks. For a list of trademarks of the OpenJS Foundation, please see our Trademark Policy and Trademark List. Trademarks and logos not indicated on the list of OpenJS Foundation trademarks are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
The OpenJS Foundation | Terms of Use | Privacy Policy | OpenJS Foundation Bylaws | Trademark Policy | Trademark List | Cookie Policy