Continuing the discussion from Request refresh via API:
I was wondering if maybe some new developments have changed the story in te mean time? Are there now options to do some automated access towards the portal to refresh a node via an automated way?
No, nothing has changed in that regard.
I don't think anyone raised the topic since you last asked, so it simply hasn't been something we've looked at.
I have a working solution now that performs a github based login and uses the csrf for a refresh. Also I found somebody else with the same problem and a similar solution: Automate updating nodes to the Flow Library - Creating Nodes - Node-RED Forum (nodered.org)
Interestingly, he is not using a login at all. Not requiring a login seems to be a security issue to me?
Also, during the automation of the refresh, I stumbled upon the fact that the redirect_uri that is used for the callback to the node-red site is http and not https.
Is this on purpose? I would expect the whole login flow to be https based to prevent man-in-the-middle attacks. So I see a security risk there as well.
It doesn't require a login to request a refresh, but you do need a CSRF token. There is not a lot to gain by putting the refresh request behind a login - it doesn't do anything if there is no update available.
Thanks for highlighting - now fixed.
In general, if you have concerns about security issues, its best to raise them with us privately rather than air them in a public forum - just in case there is a genuine issue. That allows us to address any potential issue before it is made public and could get exploited.
Good to hear it is already fixed
In what way can I do the private message? Maybe I overlooked it.
As for the refresh, I assumed you needed a login, since the button only appears when you have logged in.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.