Request refresh via API - recheck

Continuing the discussion from Request refresh via API:

I was wondering if maybe some new developments have changed the story in te mean time? Are there now options to do some automated access towards the portal to refresh a node via an automated way?

No, nothing has changed in that regard.

I don't think anyone raised the topic since you last asked, so it simply hasn't been something we've looked at.

I have a working solution now that performs a github based login and uses the csrf for a refresh. Also I found somebody else with the same problem and a similar solution: Automate updating nodes to the Flow Library - Creating Nodes - Node-RED Forum (nodered.org)

Interestingly, he is not using a login at all. Not requiring a login seems to be a security issue to me?

Also, during the automation of the refresh, I stumbled upon the fact that the redirect_uri that is used for the callback to the node-red site is http and not https.
Is this on purpose? I would expect the whole login flow to be https based to prevent man-in-the-middle attacks. So I see a security risk there as well.

It doesn't require a login to request a refresh, but you do need a CSRF token. There is not a lot to gain by putting the refresh request behind a login - it doesn't do anything if there is no update available.

Thanks for highlighting - now fixed.

In general, if you have concerns about security issues, its best to raise them with us privately rather than air them in a public forum - just in case there is a genuine issue. That allows us to address any potential issue before it is made public and could get exploited.

Good to hear it is already fixed :slight_smile:
In what way can I do the private message? Maybe I overlooked it.

As for the refresh, I assumed you needed a login, since the button only appears when you have logged in.