Securing Node-RED: Using a custom HTTP header (tokenHeader) with regular "credentials" adminAuth

Hi,

I just installed a new Node-RED instance. Following the Securing Node-RED page, I enabled the Username/password based authentication (type: "credentials") in settings.js file.

It works well, but unfortunately this method works by passing an Authorization HTTP header, including a bearer token. This prevents me to use an .htaccess with a basic auth mechanism, also using Authorization as header name.

This is why I'm looking for a way to use another name as HTTP header than Authorization, such x-nodered-auth or something. Still according the Securing Node-RED page, it's possible to use a custom token name header with custom authentication tokens:

By default, it will use the Authorization http header and expect a Bearer type token - passing in just the value of the token to the function. If it is not a Bearer type token, then the full value of the Authorization header will be passed to the function, containing both type and value.

To use a different HTTP header, the tokenHeader setting can be used to identify which header to use:

adminAuth: {
    ...
    tokens: function(token) {
        ...
    },
    tokenHeader: "x-my-custom-token"
}

So I tried something like this, but unfortunately, it doesn't work:

adminAuth: {
    type: "credentials",
    users: [
        {
            username: "admin",
            password: "$2a$08$zZWtXTja0fB1pzD4sHCMyOCMYz2Z6dNbM6tl8sJogENOMcxWV9DN.",
            permissions: "*"
        }
    ],
    tokenHeader: "x-my-custom-token"
}

Is there a way to use a custom header name with the regular built-in user/pass authorization method?

Maybe another approach would be to set a custom user authentication that hook the regular authentication? Like:

adminAuth: {
    ...
    tokens: function(token) {
        // hook to regular built-in Node-RED user/pass method
    },
    tokenHeader: "x-my-custom-token"
}

Or maybe it would be possible to specify the header name by passing an option to the Express.js server used by Node-RED as shown in settings.js :

    /** The following property can be used to pass custom options to the Express.js
     * server used by Node-RED. For a full list of available options, refer
     * to http://expressjs.com/en/api.html#app.settings.table
     */
    //httpServerOptions: { },

Any hints would be greatly appreciated!

Hi @f333f9

Sorry, this may just be my mis-understanding.

Express, its self does not have support for .htaccess (at least not natively),
and given Node RED uses express, this won't work out of the box.

Could you maybe detail your setup, to help clarify what it is you want to achieve, are you using some downstream server to present Node RED?

1 Like

I think you seem to be mixing up two different mechanisms here. You EITHER have bearer auth or you have BASIC auth, you can't have both. The Authorization header is a standard.

Yes, sorry. Node-RED is behind an Apache reverse proxy handling the basic auth.

Indeed, for now I can't have both since they are in conflict. Conflict is because both are using Authorization HTTP header. Basic auth (.htaccess) requires the Authorization header (Authorization: Basic <credentials>). However, I don't think the Bearer method used by Node-RED/Express.js requires Authorization as header name (tbc). Other names should be valid and my goal is to use one. Node-RED offers an option to change the header name when using a custom auth method, thanks to tokenHeader, but apparently not with the regular credentials method as far as I know.

If you have Apache running, why are you bothering with Node-RED's security? Apache can give you much more lets you easily have different security for different URL's. It will always be more robust than Node-RED.

You will also be able to add your own headers for logged in users for Node-RED to process if you need to.

My bad:

Clients SHOULD make authenticated requests with a bearer token using
the "Authorization" request header field with the "Bearer" HTTP
authorization scheme. Resource servers MUST support this method.

Source: RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage

Authorization should be used with bearer method as well.

Yes, you're totally right. I'm dropping Node-RED's built-in auth.

Thank you both for your insights though! :+1:

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.