Protecting dashboard - Don't work?

I have been playing with node-red this weekend on my local machine, and just launched it to a IIS server i have.

On my local host i ran node-red globally, but in production i'm running it from my www-root (using iisnode). I have an app.js file where i've stolen this code:

var http = require('http');
var express = require("express");
var RED = require("node-red");

// Create an Express app
var app = express();

// Add a simple route for static content served from 'public'

// Create a server
var server = http.createServer(app);

// Create the settings object - see default settings.js file for other options
var settings = {
    httpNodeRoot: "/",
		type: "credentials",
        users: [
				username: "admin",
				password: "xxxx",
				permissions: "*"
	httpNodeAuth: {user:"fred",pass:"yyyy"},
	ui: {
		path: "/"
    functionGlobalContext: { }    // enables global context

//var settings=require('./settings.js');

// Initialise the runtime with a server and settings

// Serve the editor UI from /red

// Serve the http nodes UI from /api


// Start the runtime

I'm not really sure about the black magic goin on with app.use (x2) before server.listen. I know that this is the express way of registering routes, and i suspect it's something here i need to password protect the ui/dashboard?

The admin section works just fine with credentials.

Any suggestions about what to do?

When embedding Node-RED into your own app like this, the httpNodeAuth setting doesn't get used.

It is left to you to add whatever authentication you need on the RED.httpNode set of routes.

You can see how the normal version of Node-RED applies the setting here: node-red/red.js at 5365786386e21df74b339a399e854ed89af6394f · node-red/node-red · GitHub

By choosing to embed it into your own app, you are bypassing everything in the file I've linked to and you'll have to reproduce any bits you want yourself.

Thanks! Well, i found this post earlier and it kind of worked. The dashboard did not render properly with selected colors etc, and a refresh gave me an error...

First of i'm not really sure why the admin password protection work why this does not. Second, if someone just have a solution/hack i'd really appreciate it. :slight_smile:

I'm not really used to server side javascript (did a bigger project using koa like 3 years ago) nor hosting nodejs on iis, so in my case it just feels like i'm re-inventing wheels.

....aaaaaaaaaand actually reading your post i got it fix'd. Just copied the the function basicAuthMiddleware on line 361 and just copied line 412.

Sorry for quick stupid answer, and huge thanks!

Of course, iisnode works like a reverse proxy and integrates to AD/AAD so you shouldn't really need to do anthing with node-red itself to protect your app.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.