Securing node-red installed as snap package and generating password hash

one of the recommended way to run node-red locally is installing it from snap.
https://nodered.org/docs/getting-started/local#installing-with-snap

To put in place at least some very basic secirity (login) the official guide in particular the part dealing with how to generate a password hash is here:
https://nodered.org/docs/user-guide/runtime/securing-node-red#generating-the-password-hash

however there doesnt seem to be a way to do this with node red installed from official snap packages.
The guide says that since version 1.1.0 the admin interface is built in. so to generate a password hash one should run a command

node-red admin hash-pw

I couldnt find a way to pass the arguments to node-red
after installation there are two commands available: "node-red.desktop-launch" and "node-red.npm"
node-red.desktop-launch does not accept any arguments
I tried

node-red.npm  run node-red admin

without success
also tried

snap run --shell node-red

and run it from there, but also no success.

is there a way to generate the pwhash using just a snap installation ?

I found a way, although bit involved:
get into the snap shell

snap run --shell node-red

descend into the node red directory tree. something like

cd /snap/node-red/current

and further down to:

cd lib/node_modules/.bin/

there is the node-red-admin module located. so you can run this to generate the password hash

./node-red-admin hash-pw

is there a simpler, easier way i'm missing?

Maybe don't use Snap?! :wink:

What benefits are you getting that override the disbenefits and overheads?

simplicity of deployment. freedom from dependency hell. imagine a classroom scenario of 30 students. I need them to get node-red running. quick. All on the local network. Running them unsecured means anybody can access anybody elses node-red editor on the LAN.
Do you have a simpler, more straightforward solution than "snap install node-red" ?

I've never had any dependency issues with a manual install of node-red personally.

As long as you have node.js on whatever devices the students are using, a script to install node-red locally and create a userDir sub-folder and copy in any default configurations. Depending on the device, just a few minutes and students get to learn how to install. With a central script, it is easily updated to keep things current. Installation is path/to/script/install.sh. Easily automated if you need to keep the devices clean. Lets say you needed to have a clean set of devices each day. You could have a CRON script that deletes the single folder that contains node-red and the userDir and reinstalls. Indeed, if getting the students to run the script, it can also wipe before install. If students wanted to keep their work, they could use a backup script or a pen drive with another script that copies the folder minus the node_modules folder so that the backup only takes a few seconds.

If you want complete control. I'd personally set up a server with VM's. You can reset the VM back to a template and creates snapshots if students need to retain work over more than 1 session. Templates easily updated.

Obviously a lot depends on your students (how old, how capable) and your local infrastructure.

Oh, and with a local node-red install, just include a suitable package.json file with appropriate scripts defined. That way, students can start node-red with just npm start. Though you'll probably want to have more control and PM2 will give you that, then you can set up standard npm scripts to start, stop and restart along with showing the logs.

Bear in mind that this is harder to describe than it is for students to use.

I can think of lots of other ways to make a classroom environment safe, easy to manage, easy to use and easy to update. These are just a few thoughts. For example, for less able students, a centrally managed install of node-red with pre-installed (and inaccessible) nodes lets you easily create multiple identical instances. Then there is Docker of course.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.