Protecting dashboard - Don't work?

gubbfett · 21 August 2022 23:31

I have been playing with node-red this weekend on my local machine, and just launched it to a IIS server i have.

On my local host i ran node-red globally, but in production i'm running it from my www-root (using iisnode). I have an app.js file where i've stolen this code:

var http = require('http');
var express = require("express");
var RED = require("node-red");

// Create an Express app
var app = express();

// Add a simple route for static content served from 'public'
app.use("/",express.static("public"));

// Create a server
var server = http.createServer(app);

// Create the settings object - see default settings.js file for other options
var settings = {
    httpAdminRoot:"/admin",
    httpNodeRoot: "/",
    userDir:"./.nodered/",
	adminAuth:{
		type: "credentials",
        users: [
			{
				username: "admin",
				password: "xxxx",
				permissions: "*"
			}
		]
	},
	httpNodeAuth: {user:"fred",pass:"yyyy"},
	ui: {
		path: "/"
	},
    functionGlobalContext: { }    // enables global context
};

//var settings=require('./settings.js');

// Initialise the runtime with a server and settings
RED.init(server,settings);

// Serve the editor UI from /red
app.use(settings.httpAdminRoot,RED.httpAdmin);

// Serve the http nodes UI from /api
app.use(settings.httpNodeRoot,RED.httpNode);

server.listen(process.env.PORT);

// Start the runtime
RED.start();

I'm not really sure about the black magic goin on with app.use (x2) before server.listen. I know that this is the express way of registering routes, and i suspect it's something here i need to password protect the ui/dashboard?

The admin section works just fine with credentials.

Any suggestions about what to do?

knolleary · 21 August 2022 23:53

When embedding Node-RED into your own app like this, the httpNodeAuth setting doesn't get used.

It is left to you to add whatever authentication you need on the RED.httpNode set of routes.

You can see how the normal version of Node-RED applies the setting here: node-red/red.js at 5365786386e21df74b339a399e854ed89af6394f · node-red/node-red · GitHub

By choosing to embed it into your own app, you are bypassing everything in the file I've linked to and you'll have to reproduce any bits you want yourself.

gubbfett · 22 August 2022 00:05

Thanks! Well, i found this post earlier and it kind of worked. The dashboard did not render properly with selected colors etc, and a refresh gave me an error...

First of i'm not really sure why the admin password protection work why this does not. Second, if someone just have a solution/hack i'd really appreciate it.

I'm not really used to server side javascript (did a bigger project using koa like 3 years ago) nor hosting nodejs on iis, so in my case it just feels like i'm re-inventing wheels.

gubbfett · 22 August 2022 00:11

....aaaaaaaaaand actually reading your post i got it fix'd. Just copied the the function basicAuthMiddleware on line 361 and just copied line 412.

Sorry for quick stupid answer, and huge thanks!

TotallyInformation · 22 August 2022 20:07

Of course, iisnode works like a reverse proxy and integrates to AD/AAD so you shouldn't really need to do anthing with node-red itself to protect your app.

system · 21 September 2022 20:07

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Node-RED - password for ui dashboard Dashboard	10	5582	17 January 2021
How to protect the dashboard with credentials for more than 1 users? Dashboard	20	332	27 February 2024
Login and Password in dashboard (localhost:1880/ui)?! FAQs	20	90470	4 November 2020
Password of dashboard in multiples intances General node-red-dashboard	5	343	30 April 2022
Dashboard credentials with httpNodeAuth Dashboard node-red-dashboard , security	4	346	20 October 2023

Protecting dashboard - Don't work?

Related topics