Hi,
I just installed a new Node-RED instance. Following the Securing Node-RED page, I enabled the Username/password based authentication (type: "credentials"
) in settings.js
file.
It works well, but unfortunately this method works by passing an Authorization
HTTP header, including a bearer token. This prevents me to use an .htaccess
with a basic auth mechanism, also using Authorization
as header name.
This is why I'm looking for a way to use another name as HTTP header than Authorization
, such x-nodered-auth
or something. Still according the Securing Node-RED page, it's possible to use a custom token name header with custom authentication tokens:
By default, it will use the
Authorization
http header and expect aBearer
type token - passing in just the value of the token to the function. If it is not aBearer
type token, then the full value of theAuthorization
header will be passed to the function, containing both type and value.To use a different HTTP header, the
tokenHeader
setting can be used to identify which header to use:adminAuth: { ... tokens: function(token) { ... }, tokenHeader: "x-my-custom-token" }
So I tried something like this, but unfortunately, it doesn't work:
adminAuth: {
type: "credentials",
users: [
{
username: "admin",
password: "$2a$08$zZWtXTja0fB1pzD4sHCMyOCMYz2Z6dNbM6tl8sJogENOMcxWV9DN.",
permissions: "*"
}
],
tokenHeader: "x-my-custom-token"
}
Is there a way to use a custom header name with the regular built-in user/pass authorization method?
Maybe another approach would be to set a custom user authentication that hook the regular authentication? Like:
adminAuth: {
...
tokens: function(token) {
// hook to regular built-in Node-RED user/pass method
},
tokenHeader: "x-my-custom-token"
}
Or maybe it would be possible to specify the header name by passing an option to the Express.js server used by Node-RED as shown in settings.js
:
/** The following property can be used to pass custom options to the Express.js
* server used by Node-RED. For a full list of available options, refer
* to http://expressjs.com/en/api.html#app.settings.table
*/
//httpServerOptions: { },
Any hints would be greatly appreciated!